Hello,

We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

Connectivity

Google Wants to Replace All Your Passwords with a Ring

The world’s largest search engine is now experimenting with jewelry that would eliminate the need to remember dozens of passwords.

Passwords remain the standard method of protecting personal accounts, but people struggle to remember them, and they are often stored insecurely.

As part of research into doing away with typed passwords, Google has built rings that not only adorn a finger but also can be used to log in to a computer or online account.

The search and ad company first revealed its plans to put an end to passwords in an academic paper published online in January (see “Google’s Alternative to the Password”). The effort focused on having people plug a small USB key that provides their credentials into a computer. The possibility of using special jewelry in a similar manner was mentioned in that paper.

At the RSA security conference in San Francisco last month, Mayank Upadhyay, a principal engineer at Google who specializes in security, became the first person at Google to speak in public about that research. He said that using personal hardware to log in would remove the dangers of people reusing passwords or writing them down. He also thought people would feel some familiarity with the approach. “Everyone is familiar with an ATM. What if you could use the same experience with a computer?”

Upadhyay said that Google’s trial was focused on a slim USB key that performs a cryptographic transaction with an online service to prove the key’s validity when it’s plugged into a computer. The key also has a contactless chip inside so that it can be used to log in via mobile devices.

Tokens like the ones Google is testing do not contain a static password that could be copied. The cryptographic key unique to the device is stored inside and is never transmitted. When the key is plugged in, it proves its validity by correctly responding to a mathematical challenge posed by the online service it is being used to log into, in a way that doesn’t produce any information that could be used to log in again.

Speaking after the session, Upadhyay said that the company also had a prototype ring that could take the place of a password token, although he didn’t give details on how it works. “Some people are not comfortable with a [USB] token,” he said.

Google is already talking with other companies to lay the groundwork for using the technology to access different services and websites. “It’s extremely early stages, and we’re trying to get more partners,” said Upadhyay. Talks have already started with the FIDO Alliance, a consortium that in February launched technology intended to enable new methods of secure log-in that rely less heavily on typed passwords (see “PayPal, Lenovo Launch New Campaign to Kill the Password”).

“The other cool thing, which we’re really pushing for, is that it’s just built into the browser, so that you don’t have to bother installing middleware or anything else,” said Upadhyay. “We want to have the case where you could just go to your friend’s house and it just works.”

Google already offers a more secure log-in service called two-factor authentication, which involves a person entering a one-time code sent to their cell phone each time they log in. However, only an estimated 1 percent of Google’s users have adopted it, and Upadhyay says most people consider it too much effort to use.

Upadhyay didn’t say which company supplied the hardware at the core of the new trial, but the features he described are identical to a USB security key called the NEO launched in 2012 by Yubikey, a California company. Consumers can buy a NEO for $50, although companies buy them in bulk at lower prices.

Tech Obsessive?
Become an Insider to get the story behind the story — and before anyone else.

Subscribe today

Uh oh–you've read all of your free articles for this month.

Insider Premium
$179.95/yr US PRICE

More from Connectivity

What it means to be constantly connected with each other and vast sources of information.

Want more award-winning journalism? Subscribe to Insider Plus.
  • Insider Plus {! insider.prices.plus !}*

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus the digital magazine, extensive archive, ad-free web experience, and discounts to partner offerings and MIT Technology Review events.

    See details+

    What's Included

    Unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

    Bimonthly print magazine (6 issues per year)

    Bimonthly digital/PDF edition

    Access to the magazine PDF archive—thousands of articles going back to 1899 at your fingertips

    Special interest publications

    Discount to MIT Technology Review events

    Special discounts to select partner offerings

    Ad-free web experience

/
You've read all of your free articles this month. This is your last free article this month. You've read of free articles this month. or  for unlimited online access.