Google’s Alternative to the Password

Life would be more secure if we used USB sticks, or even jewelry, to log into computer accounts, suggest Google engineers

Tom Simonitearchive page

January 18, 2013

Google is using its workers as guinea pigs in an effort to do away with the password as the vulnerable lynchpin that secures everything from social media profiles to bank accounts.

A compact USB key like this could be an alternative to typing passwords

In an upcoming paper from two senior Google employees that work on security – first brought to light by Wired – it is revealed that the company is considering how to make the password something used only rarely. Instead, trials involve people logging in simply by plugging in a compact USB key like the one picture above.

The Google authors, Eric Grosse, VP of security engineering and Mayank Upadhyay, a principal engineer who specializes in security, list many familiar reasons why passwords don’t cut it. Among them, that people choose them badly, lose them, write them down, and reuse them across services; that passwords can be intercepted by malware; and that password servers can be compromised over the Internet.

The best answer to those problems Google currently offers, known as two factor authentication, is not a long term solution, write Grosse and Upadhyay. The system has been increasingly promoted by Google, and adopted by millions of people, and requires that after entering their password a person must provide a temporary code from a text message or smartphone app to login. But the codes displayed by text messages and apps can be intercepted, and the central database that tracks authorized computers exempt from two factor authentication could be compromised.

The paper says that Google is internally testing a safer alternative using devices that sound identical to the USB keyfob pictured, made by Yubikey (I recently met Yubikey’s CEO who said they were working with a “major cloud company” on a big project). After someone has connected their unique key with their account, they just plug it into a computer whenever they need to log in. Google has created new software that allows a website to use the Chrome browser to perform a brief cryptographic exchange with a key, proving that it is the one associated with a person’s account. No data is generated during that exchange that could be used to impersonate the key , so without a key it no one can log into an account.

Adopting that approach, says the paper, could mean that people rarely use passwords at all and “only need a strong password for deep backup.” The company’s intention is to release the details of that approach as an open standard to be adopted by other companies.

The Googlers’ proposal gets somewhat less plasuible when they suggest a solution to the problem that not everyone will find a USB key convenient:

“Some more appealing form factors might involve integration with smartphones or jewelry that the user is likely to carry anyway. We would like your smartphone or your smartcard-embedded finger ring to authorize a new computer via a tap to the computer, even in situations where your phone might be without cellular connectivity.”

One of the biggest technical problems to that idea is that there’s no widely adopted method for devices to speak directly to one another when in the same place. Google is experimenting with Near Field Communication chips that allow devices to be “tapped” together to connect as one solution, says the article, but they’re only just appearing in smartphones and are almost non-existent in PCs.