Skip to Content
Uncategorized

Google’s Alternative to the Password

Life would be more secure if we used USB sticks, or even jewelry, to log into computer accounts, suggest Google engineers
January 18, 2013

Google is using its workers as guinea pigs in an effort to do away with the password as the vulnerable lynchpin that secures everything from social media profiles to bank accounts.

A compact USB key like this could be an alternative to typing passwords

In an upcoming paper from two senior Google employees that work on security – first brought to light by Wired – it is revealed that the company is considering how to make the password something used only rarely. Instead, trials involve people logging in simply by plugging in a compact USB key like the one picture above.

The Google authors, Eric Grosse, VP of security engineering and Mayank Upadhyay, a principal engineer who specializes in security, list many familiar reasons why passwords don’t cut it. Among them, that people choose them badly, lose them, write them down, and reuse them across services; that passwords can be intercepted by malware; and that password servers can be compromised over the Internet.

The best answer to those problems Google currently offers, known as two factor authentication, is not a long term solution, write Grosse and Upadhyay. The system has been increasingly promoted by Google, and adopted by millions of people, and requires that after entering their password a person must provide a temporary code from a text message or smartphone app to login. But the codes displayed by text messages and apps can be intercepted, and the central database that tracks authorized computers exempt from two factor authentication could be compromised.

The paper says that Google is internally testing a safer alternative using devices that sound identical to the USB keyfob pictured, made by Yubikey (I recently met Yubikey’s CEO who said they were working with a “major cloud company” on a big project). After someone has connected their unique key with their account, they just plug it into a computer whenever they need to log in. Google has created new software that allows a website to use the Chrome browser to perform a brief cryptographic exchange with a key, proving that it is the one associated with a person’s account. No data is generated during that exchange that could be used to impersonate the key , so without a key it no one can log into an account.

Adopting that approach, says the paper, could mean that people rarely use passwords at all and “only need a strong password for deep backup.” The company’s intention is to release the details of that approach as an open standard to be adopted by other companies.

The Googlers’ proposal gets somewhat less plasuible when they suggest a solution to the problem that not everyone will find a USB key convenient:

“Some more appealing form factors might involve integration with smartphones or jewelry that the user is likely to carry anyway. We would like your smartphone or your smartcard-embedded finger ring to authorize a new computer via a tap to the computer, even in situations where your phone might be without cellular connectivity.”

One of the biggest technical problems to that idea is that there’s no widely adopted method for devices to speak directly to one another when in the same place. Google is experimenting with Near Field Communication chips that allow devices to be “tapped” together to connect as one solution, says the article, but they’re only just appearing in smartphones and are almost non-existent in PCs.

Keep Reading

Most Popular

Large language models can do jaw-dropping things. But nobody knows exactly why.

And that's a problem. Figuring it out is one of the biggest scientific puzzles of our time and a crucial step towards controlling more powerful future models.

OpenAI teases an amazing new generative video model called Sora

The firm is sharing Sora with a small group of safety testers but the rest of us will have to wait to learn more.

Google’s Gemini is now in everything. Here’s how you can try it out.

Gmail, Docs, and more will now come with Gemini baked in. But Europeans will have to wait before they can download the app.

This baby with a head camera helped teach an AI how kids learn language

A neural network trained on the experiences of a single young child managed to learn one of the core components of language: how to match words to the objects they represent.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.