Google vision of password rings heard at security event

Mar 13, 2013 by Nancy Owano weblog

(Phys.org) —Google finds much appeal in gaining the distinction of leading the way toward a future where USB sticks and rings can replace traditional passwords. The idea of killing off passwords has been an attractive one at Google for some time. This year, remarks by a Google engineer indicate Google is still taking the challenge seriously. Speaking at the recent RSA security conference in San Francisco, Google principal engineer, Mayank Upadhyay commented about Google's interest in a time when password obligations can be dumped and replaced with secure authentication tokens.

Google's focus on alternatives includes a slim USB key for inserting into a computer and proving validity, and with a chip inside so that it can be used to log into the user's sites via smartphone or tablet. Another pathway toward password replacement could be in the form of special jewelry to validate the user identity. Google has been paying additional attention to a prototype ring that could serve as an authentication device.

Google has been in touch with the FIDO (Fast IDentity Online) Alliance, formed in July last year to ease the way into more convenient but safe modes of authentication. The alliance hopes to come up with specifications for interoperable mechanisms that can end reliance on traditional passwords.

The argument in support of better authentication modes has been that the alternatives could relieve the headaches users have in forgotten or stolen passwords. Also, those who re-use their passwords across services have the risk of interception by . According to reports, has been discussing its aims with FIDO.

As of February this year, FIDO said its ranks included Internet companies, system integrators and security providers. The FIDO release said founding member organizations Agnitio, , Lenovo, Nok Nok Labs, , and Validity were developing the specification and FIDO-compliant products.

Explore further: Visual search to shop: gimmick or game changing?

Related Stories

Google wants Password123 in Museum of Bad Headaches

Jan 19, 2013

(Phys.org)—Should typed passwords ever make their way into the Memory Bin, no tears will be shed in certain quarters at Google. The search giant is taking a serious look at a computing future where users ...

Google account users get extra security

Feb 11, 2011

(PhysOrg.com) -- Google announced on Thursday that they are giving their Gmail users additional account security, free of charge. As of Thursday Google account users can turn on a "two-step authentication" ...

Recommended for you

Visual search to shop: gimmick or game changing?

11 hours ago

Imagine using your phone to snap a photo of the cool pair of sunglasses your friend is wearing and instantly receiving a slew of information about the shades along with a link to order them.

WEF unveils 'crowdsourcing' push on how to run the Web

12 hours ago

The World Economic Forum unveiled a project on Thursday aimed at connecting governments, businesses, academia, technicians and civil society worldwide to brainstorm the best ways to govern the Internet.

Nigeria launches national identity card scheme

12 hours ago

Nigeria's President Goodluck Jonathan on Thursday launched a national electronic identity card scheme, which backers said would boost access to financial and government services in Africa's most populous nation.

User comments : 15

Adjust slider to filter visible comments by rank

Display comments: newest first

Lurker2358
2.5 / 5 (10) Mar 13, 2013
Problem with hardware-based passwords is they can be lost or stolen.

A traditional password can be memorized by a person, and leave no physical thing to steal.

But it is true that "in theory" if the person never lost these things they would be more secure in the sense that you could have much longer passwords, but they would be less secure in the sense that they interface with other parts of the computer and the software, and could therefore be intercepted by a wider variety of viruses, worms, or other malware.

Also, capitalism will turn it into an excuse to charge tens of dollars a pop for a new password. Additionally, if you lose your key you're just screwed anyway, because the "answer a question only you would know" thing is no more secure than a normal password. in fact it makes normal passwords much less secure. It's like, "well, if you don't know password A maybe you know password B" So the hacker has twice the chance to break the code. It's all a joke.
ChangBroot
1.8 / 5 (9) Mar 13, 2013
It seems that the government is behind Google for such moves to keep track of its citizens. Google is growing bigger and bigger and they want to optimize their ads and profit by keeping a tap on every individual and their real identities. Before you know it, they would insert small identity-chips inside our body for "secure," password etc. We have already lost more than 80% of our freedom by giving our government the right to collect our personal information, the CCTVs and limiting our choices to "Democrats" and "Republicans," and the list goes on and on. The TV show "Continuum," is a perfect predictor of West's Future, but it already happened to Muslims.
jackjump
2.4 / 5 (7) Mar 13, 2013
Good idea but keep the passwords in case you lose your ring or stick. It shouldn't be required, just a convenience thing.
Royale
4 / 5 (4) Mar 13, 2013
Well Chang.. when clicking on the article I did not expect my take-away to be 'Watch Continuum', but that's exactly what has happened.. I guess I need a filler for Eureka anyways...
StarGazer2011
2.6 / 5 (7) Mar 13, 2013
Continuum is pretty good, B .
I agree with other posters that a ring or stick can still be stolen or potentially copied or infiltrated, so I am not clear how much better it would be. Even a surgically implanted RFID can be removed potentially.
Seems like as USB stick based identity would make 'identity theft' as easy as pinching someones bag.

sennekuyl
4.5 / 5 (2) Mar 14, 2013
StarGazer2011: These would be a two factor authentication process. You need both the ring and a password. (Something you have and something you know security). 2 factor authentications throws the complexity up a notch for crackers while enabling users to utilise what are considered currently to be unsafe passwords. Such circumstance as using your cat and dogs names, "Buster&Spot". Currently that is a very unsafe password due to very low entropy and quite predictable based on demographics.

To make it secure you need at least another 4 characters but for such a memorable name it should really be greater than 20 characters, and more than the 26 - 40 familiar characters. See http://xkcd.com/936/

Alternatively 2 factor brings the passwords back to easy to remember (less than 10 characters) because you have: "PasswordYouRemember" "PasswordYouKeepWithYou". The second factor can easily be 64 characters making very secure passwords (cont)
sennekuyl
4.5 / 5 (2) Mar 14, 2013
(cont) while still being memorable. That reduces the likelihood of guessing any given user's credentials based on just knowing their username. You have to get their 2nd factor device & then guess their password.

As many passwords are initially stolen by downloading a database, breaking the encryption and then testing them against a user, the process has just become more secure for the majority of users. Similarly someone stealing a bag or USB device must then guess where they used the 2 factor device, guess the username/password, etc. Not impossible but has driven the difficulty for the cracker up into economically unfeasible; you have to make sure the person you are robbing is likely to have the data you want to steal.

Of course, this doesn't prevent targeted attacks, just random, opportunistic attacks. For those the $5 wrench decryption is hard to beat.

Nevertheless there are some problems with using 2 factor alluded to by jackjump. Losing the device means losing your data. (cont
sennekuyl
4.5 / 5 (2) Mar 14, 2013
Actually forgetting either means no access to your data. There are some schemes that allow for a 'one-time' password overide but they aren't common to my knowledge, probably due to complexity and cost-effectiveness. They also introduce an additional vector to be attacked; counter-intuitively reducing the security.

Obligatory:http://en.wikiped...tication

All in all I think they are a good thing. See Keepass, Roboform & Lastpass for password managers that can use 2 factor authentication.
Szkeptik
not rated yet Mar 14, 2013
Just have it implanted under your skin. That would be easiest and most secure. Put your hand over a chip reader and you're authenticated.
frajo
not rated yet Mar 14, 2013
I can't trust an alliance with PayPal as member organization. Their Wikileaks intervention shows a tendency to misuse customer data.
sennekuyl
5 / 5 (2) Mar 14, 2013
Do you really think your ISP would behave any different? If they thought whatever government was after you they wouldn't just hand over your data after a token resistance?
beeferer
not rated yet Mar 17, 2013
What about retina scans and thumbprint logging? Wouldn't either of those work?
Lurker2358
2 / 5 (4) Mar 17, 2013
What about retina scans and thumbprint logging? Wouldn't either of those work?


No.

Ultimately, those would be converted to a digital memory, just like everything else, which would be hackable. It doesn't even increase the complexity of breaking the code compared to alpha-numeric passwords.

Also, some people's eyes change color. This means they wouldn't even be able to access their own data if they wear the wrong color clothes one day.

If you get some trash in your eye, or change contacts brand, or any other stupidity, it would alter biometrics as well.
phi-stee
not rated yet Mar 17, 2013
Not to mention it makes it easier to track people if they only have a couple security keys. That helps google's targeted advertising a lot.
barakn
not rated yet Mar 25, 2013
Just have it implanted under your skin. That would be easiest and most secure. Put your hand over a chip reader and you're authenticated.

Oh, great, now we'll need tinfoil gloves.