The Search Behemoth made headlines in recent days with what one news outlet called a “war on the password“. That declaration of war is embodied in a paper prepared by Google’s security team and scheduled to run in IEEE Security & Privacy Magazine this month.
According to Wired Magazine, which obtained a pre-publication copy of the article, Google Vice Presidents of Security, Eric Grosse and Engineer Mayank Upadhyay, declare that passwords and cookies are no longer adequate to protect the Internet’s citizenry. Alternatives to the password must be found, the two proclaim.
One alternative they cite is the Yubico cryptographic card. The card slips in the card reader found on most computers and acts as a “token” to identify a person’s identity.
When you insert the Yubico device into a card slot, it asks you for a PIN. Once activated with the PIN, the card will supply login information to your favorite websites, eliminating the need to remember passwords and login names.
It also removes password vulnerabilities. Stealing passwords from a website doesn’t do a hacker any good because a password won’t work without the Yubico key.
In order for Google’s scheme to work, it’s going to need broad acceptance. That could be a substantial problem, but not one that Google hasn’t considered. It’s working on a protocol for device-authentication that would be independent of Google, require only browser support to work and could not be used by websites to track users.
Tokens need not be limited to the Yubico key. They could include rings that support NFC, allowing you to tap the side of a keyboard or tablet when you want to login to a website, or SIM cards for smartphones.
Needless to say, Yubico is excited about the prospect of being a key player in the future of Internet authentication.
“Imagine that you have one single key and one single password to securely access all your Internet life,” writes Stina Ehrensvard in the company’s YubiBlog.
“The key would not be issued, controlled or hosted by a government or a service provider,” she continues. “Instead, you would buy this key at your retail store, such as 7-Eleven or Amazon.com, similar to a gift card or pre-paid phone card.”
She explains the key would allow you to connect to online services from any computer or mobile device by inserting it into a USB port or, if the device is NFC enabled, by touching the card to the device, and eliminate the need to remember scores of passwords.
The key coupled with Google’s protocol could solve some of the fundamental problems with authenticating identity on the Web, Ehrensvard maintained.
“And these are problems we need to fix soon,” she added. “Very soon. Or billions of people, along with the great creation named the Internet, will be in serious trouble.”
Ehrensvard concedes that there are some major hurdles to the implementation of Google’s grand scheme. They include aligning influential thought leaders and global stakeholders.
They also include consumers themselves. For as much as consumers complain about remembering passwords, they may be inclined to stick with the devil they know than embrace one they don’t. Remembering passwords may be annoying, but how much more annoying might be losing a key to one’s Internet life?