Google is considering developing a ring that consumers can use to identify themselves securely online, as an alternative to passwords.
In a research paper, two of its engineers write that current strategies to prevent the hijacking of online accounts, including the two-step identity verification system, are insufficient, partly due to the constant threat of attacks that exploit new bugs.
“Along with many in the industry, we feel passwords and simple bearer tokens such as cookies are no longer sufficient to keep users safe,” the vice president of security at Google Eric Grosse and engineer Mayank Upadhyay will say in an upcoming engineering journal.
Google highlights phishing, in which hackers dupe account holders into revealing sensitive information by making them sign into a fake account login page, as one of the biggest security threats of today.
They explained that they are looking to a situation where to gain authorisation, users just have to tap on a computer with a smartphone or smartcard-embedded finger ring, even without being connected to the internet.
“It’s time to give up on elaborate password rules and look for something better,” the authors say. The research paper, by Google’s Eric Grosse and Mayank Upadhyay, is to be published Jan. 28 in the publication IEEE Security & Privacy.
One possible solution is the YubiKey, a tiny cryptographic USB stick that can replace passwords, which Mr Grosse and Mr Upadhyay used in their experiments.
Google says it is working on an internal pilot with an experimental USB device that users first register with multiple websites where they have accounts. A compliant browser would make two new APIs (application programming interfaces) available to the website to be passed down to the attached device.
“One of these APIs is called during the registration step, causing the hardware to generate a new public-private key pair and send the public key back to the website,” the paper explains. “The website calls the second API during authentication to deliver a challenge to the hardware and return the signed response.”
The method wouldn’t require any software to be installed, though users would need to be using a Web browser that’s compliant with the effort, Google said. The registration and authentication protocols would be open and free, and the device would connect with a computer’s USB without needing any special OS device drivers.
