Tom Simonite

A View from Tom Simonite

Google’s Alternative to the Password

Life would be more secure if we used USB sticks, or even jewelry, to log into computer accounts, suggest Google engineers

  • January 18, 2013

Google is using its workers as guinea pigs in an effort to do away with the password as the vulnerable lynchpin that secures everything from social media profiles to bank accounts.

A compact USB key like this could be an alternative to typing passwords

In an upcoming paper from two senior Google employees that work on security – first brought to light by Wired – it is revealed that the company is considering how to make the password something used only rarely. Instead, trials involve people logging in simply by plugging in a compact USB key like the one picture above.

The Google authors, Eric Grosse, VP of security engineering and Mayank Upadhyay, a principal engineer who specializes in security, list many familiar reasons why passwords don’t cut it. Among them, that people choose them badly, lose them, write them down, and reuse them across services; that passwords can be intercepted by malware; and that password servers can be compromised over the Internet.

The best answer to those problems Google currently offers, known as two factor authentication, is not a long term solution, write Grosse and Upadhyay. The system has been increasingly promoted by Google, and adopted by millions of people, and requires that after entering their password a person must provide a temporary code from a text message or smartphone app to login. But the codes displayed by text messages and apps can be intercepted, and the central database that tracks authorized computers exempt from two factor authentication could be compromised.

The paper says that Google is internally testing a safer alternative using devices that sound identical to the USB keyfob pictured, made by Yubikey (I recently met Yubikey’s CEO who said they were working with a “major cloud company” on a big project). After someone has connected their unique key with their account, they just plug it into a computer whenever they need to log in. Google has created new software that allows a website to use the Chrome browser to perform a brief cryptographic exchange with a key, proving that it is the one associated with a person’s account. No data is generated during that exchange that could be used to impersonate the key , so without a key it no one can log into an account.

Adopting that approach, says the paper, could mean that people rarely use passwords at all and “only need a strong password for deep backup.” The company’s intention is to release the details of that approach as an open standard to be adopted by other companies.

The Googlers’ proposal gets somewhat less plasuible when they suggest a solution to the problem that not everyone will find a USB key convenient:

“Some more appealing form factors might involve integration with smartphones or jewelry that the user is likely to carry anyway. We would like your smartphone or your smartcard-embedded finger ring to authorize a new computer via a tap to the computer, even in situations where your phone might be without cellular connectivity.”

One of the biggest technical problems to that idea is that there’s no widely adopted method for devices to speak directly to one another when in the same place. Google is experimenting with Near Field Communication chips that allow devices to be “tapped” together to connect as one solution, says the article, but they’re only just appearing in smartphones and are almost non-existent in PCs.

Uh oh–you've read all five of your free articles for this month.

Insider Premium

$179.95/yr US PRICE

Want more award-winning journalism? Subscribe and become an Insider.

  • Insider Premium {! insider.prices.premium !}*

    {! insider.display.menuOptionsLabel !}

    Our award winning magazine, unlimited access to our story archive, special discounts to MIT Technology Review Events, and exclusive content.

    See details+

    What's Included

    Bimonthly home delivery and unlimited 24/7 access to MIT Technology Review’s website.

    The Download. Our daily newsletter of what's important in technology and innovation.

    Access to the Magazine archive. Over 24,000 articles going back to 1899 at your fingertips.

    Special Discounts to select partner offerings

    Discount to MIT Technology Review events

    Ad-free web experience

    First Look. Exclusive early access to stories.

    Insider Conversations. Join in and ask questions as our editors talk to innovators from around the world.

  • Insider Plus {! insider.prices.plus !}* Best Value

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus ad-free web experience, select discounts to partner offerings and MIT Technology Review events

    See details+

    What's Included

    Bimonthly home delivery and unlimited 24/7 access to MIT Technology Review’s website.

    The Download. Our daily newsletter of what's important in technology and innovation.

    Access to the Magazine archive. Over 24,000 articles going back to 1899 at your fingertips.

    Special Discounts to select partner offerings

    Discount to MIT Technology Review events

    Ad-free web experience

  • Insider Basic {! insider.prices.basic !}*

    {! insider.display.menuOptionsLabel !}

    Six issues of our award winning magazine and daily delivery of The Download, our newsletter of what’s important in technology and innovation.

    See details+

    What's Included

    Bimonthly home delivery and unlimited 24/7 access to MIT Technology Review’s website.

    The Download. Our daily newsletter of what's important in technology and innovation.

You've read of free articles this month.