As the world continues to move everything - banking, document storage, correspondence, etc. - to the Internet, the specter of weak online security becomes more and more unnerving. It's already too dangerous to have a single password for all your various accounts, and even long, randomized individual codes can be circumvented by hackers. But what if there was an easier way?
If Google has any choice in the matter, the days of crazy, symbol-filled passwords that are impossible to remember will soon come to an end.
The company is currently experimenting with different ways to simultaneously make accounts easier to access and difficult to break into, including encrypted rings and YubiKey cryptographic cards. The rings in particular are impressive since once a person is wearing them all they have to do to log into their accounts is tap their ring finger onto the computer. The YubiKey, meanwhile, is akin to a small USB that can automatically log you in to your Gmail (and, presumably, other accounts) when inserted into a USB drive.
"We'd like your smartphone or smartcard-embedded finger ring to authorize a new computer via a tap on the computer, even in situations in which your phone might be without cellular connectivity," wrote Google Vice President of Security Eric Grosse and Engineer Mayank Upadhyay in a research paper previewed by Wired. The paper will be published later in January in IEEE Security and Privacy Magazine.
Tests with the YubiKey in particular have involved a modified Google Chrome browser that allows the key to log users in, but the upside is that the browser wouldn't require an update to integrate the new technology.
These potential password replacements would make it significantly easier for users to access their entire range of accounts. Once a YubiKey or ring is activated, it would be used much like a car key. Users would have to carry it on them or keep it in a safe place as they would, say, their driver's license or house key, but hackers would be prevented from breaking into accounts unless they were able to confiscate the physical key.
Some might be skeptical about storing access to all their accounts in a single device, but the past two years have made it increasingly clear that passwords alone are not enough. Numerous stories of email accounts being deleted and credit card numbers and passwords have been published just in the past year alone, leaving security developers scrambling to update user protection systems.
"Along with many in the industry, we feel passwords and simple bearer tokens such as cookies are no longer sufficient to keep users safe," wrote Grosse and Upadhyay in their paper.
Google thinks that once most Web sites incorporate this technology, passwords will generally become unnecessary. Of course, the major obstacle standing before the spread of these keys and rings is getting everyone to trust and adopt them on a massive scale. It's hoping that will someday be the case.
"Others have tried similar approaches but achieved little success in the consumer world," wrote Grosse and Upadhyay. "Although we recognize that our initiative will likewise remain speculative until we've proven large scale acceptance, we're eager to test it with other websites."