Hello,

We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

Tom Simonite

A View from Tom Simonite

Google’s Alternative to the Password

Life would be more secure if we used USB sticks, or even jewelry, to log into computer accounts, suggest Google engineers

  • January 18, 2013

Google is using its workers as guinea pigs in an effort to do away with the password as the vulnerable lynchpin that secures everything from social media profiles to bank accounts.

A compact USB key like this could be an alternative to typing passwords

In an upcoming paper from two senior Google employees that work on security – first brought to light by Wired – it is revealed that the company is considering how to make the password something used only rarely. Instead, trials involve people logging in simply by plugging in a compact USB key like the one picture above.

The Google authors, Eric Grosse, VP of security engineering and Mayank Upadhyay, a principal engineer who specializes in security, list many familiar reasons why passwords don’t cut it. Among them, that people choose them badly, lose them, write them down, and reuse them across services; that passwords can be intercepted by malware; and that password servers can be compromised over the Internet.

The best answer to those problems Google currently offers, known as two factor authentication, is not a long term solution, write Grosse and Upadhyay. The system has been increasingly promoted by Google, and adopted by millions of people, and requires that after entering their password a person must provide a temporary code from a text message or smartphone app to login. But the codes displayed by text messages and apps can be intercepted, and the central database that tracks authorized computers exempt from two factor authentication could be compromised.

The paper says that Google is internally testing a safer alternative using devices that sound identical to the USB keyfob pictured, made by Yubikey (I recently met Yubikey’s CEO who said they were working with a “major cloud company” on a big project). After someone has connected their unique key with their account, they just plug it into a computer whenever they need to log in. Google has created new software that allows a website to use the Chrome browser to perform a brief cryptographic exchange with a key, proving that it is the one associated with a person’s account. No data is generated during that exchange that could be used to impersonate the key , so without a key it no one can log into an account.

Adopting that approach, says the paper, could mean that people rarely use passwords at all and “only need a strong password for deep backup.” The company’s intention is to release the details of that approach as an open standard to be adopted by other companies.

The Googlers’ proposal gets somewhat less plasuible when they suggest a solution to the problem that not everyone will find a USB key convenient:

“Some more appealing form factors might involve integration with smartphones or jewelry that the user is likely to carry anyway. We would like your smartphone or your smartcard-embedded finger ring to authorize a new computer via a tap to the computer, even in situations where your phone might be without cellular connectivity.”

One of the biggest technical problems to that idea is that there’s no widely adopted method for devices to speak directly to one another when in the same place. Google is experimenting with Near Field Communication chips that allow devices to be “tapped” together to connect as one solution, says the article, but they’re only just appearing in smartphones and are almost non-existent in PCs.

Couldn't make it to EmTech Next to meet experts in AI, Robotics and the Economy?

Go behind the scenes and check out our video
Want more award-winning journalism? Subscribe to Insider Plus.
  • Insider Plus {! insider.prices.plus !}*

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus the digital magazine, extensive archive, ad-free web experience, and discounts to partner offerings and MIT Technology Review events.

    See details+

    Print + Digital Magazine (6 bi-monthly issues)

    Unlimited online access including all articles, multimedia, and more

    The Download newsletter with top tech stories delivered daily to your inbox

    Technology Review PDF magazine archive, including articles, images, and covers dating back to 1899

    10% Discount to MIT Technology Review events and MIT Press

    Ad-free website experience

/3
You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.