Google looks to ditch passwords for good with NFC-based replacement

Google looks to ditch passwords for good with NFC-based replacement

Summary: Google engineers are looking at ways to stop using passwords, which they believe are no longer enough to keep users safe.

SHARE:
15

Google engineers are testing new tools that could replace passwords as the primary way of authenticating identity on the web.

Google is currently running a pilot that uses a YubiKey cryptographic card developed by Yubico — a startup operated out of Sweden and the US, which has produced a two-factor authentication fob that can emit encrypted one-time passwords to NFC-enabled smartphones.

YubiKey NEO fob
The YubiKey NEO fob.
(Credit: Yubico)

Google vice president of security Eric Grosse and engineer Mayank Upadhyay will detail the pilot — along with other ways people may be logging into websites in the future — in a research paper to be published in the IEEE Security and Privacy Magazine later this month.

"Along with many in the industry, we feel passwords and simple bearer tokens such as cookies are no longer sufficient to keep users safe," Grosse and Upadhyay wrote in their paper, according to a Wired report.

The pair does not imagine that passwords will completely disappear, but that they will have a less significant role in authenticating ID, playing second fiddle to smartphones or chip-embedded things as the primary authenticator.

"We'd like your smartphone or smartcard-embedded finger ring to authorize a new computer via a tap on the computer, even in situations in which your phone might be without cellular connectivity," Wired quoted the pair as saying, hinting at the use of NFC capabilities already available in smartphones such as Samsung's Galaxy S3.

The pair's experiment with YubiKey used a log-in process that involves simply plugging a card into a USB reader and clicking the mouse. They were able to do this using a modified version of Chrome, according to Wired.

For the pilot to move beyond a "speculative" stage, the Google engineers acknowledge that other websites will need to support the approach, but say they have developed a device-based authentication protocol that is independent of Google.

As for Yubico, the company announced in November last year that at the request of online service providers, it was putting its NFC-enabled YubiKey NEO into production, using chips from Dutch semiconductor maker NXP.

The YubiKey NEO can be tapped on an NFC-enabled smartphone, which reads an encrypted one-time password emitted from the key fob.

Topics: Security, Google, Mobility

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

15 comments
Log in or register to join the discussion
  • USB Sticks

    In the UK, the last couple of years we have had many circumstances when we were told that officials of the government and the army who had left their memory stick on public transport. I wonder if google have thought about this, or what happens if you have it stolen?
    RedCup
    • Not only that...

      But what happens when you leave it in your pocket and run it through the wash or lose it or break it etc. etc. ?
      mrefuman
      • usb sticks can take a lot of abuse

        I myself washed and dryed mine on several occasions, and the usb stick is as good as new - only cleaner.
        ForeverSPb
    • Lost YubiKey

      You can de-register the Yubikey if you lose it. If you are using LastPass you can register multiple YubiKeys (have one for a backup). Typically, you have a username and password and then are prompted for the YubiKey. Something you know and then something you have. Having the YubiKey is worthless without knowing one of the person's username and passwords.
      smithmb01
  • Passwords vs. NFC

    You can't misplace a password, but you can forget it.
    ANY security system can be compromised whether password or physical.
    Passwords can be reset and acquired quickly whereas a lost fob/key... You're screwed until replaced.
    NFC is convenient, but is it more secure? What do they mean a one time password? Does your fob get a new password? What about a glitch? I will give Google righteous props for being innovative and forward thinking. However a lot of variables to consider before going prime time.
    jm001
    • Good technology

      NFC was designed from the ground up for security. It uses 128 bit AES. It's quite secure. The one-time password is derived from a unique code embedded on each key that changes every time you use it, so it's never the same again. The code and Google are synchronized so that Google knows what code will be coming from the key. This is not particularly new technology. My corporate VPN used to use a time-synchronized key from a different company. Here's some info on the technology: http://en.wikipedia.org/wiki/One-time_password.
      AlanK1
  • Password problem would get worse

    Right now there is a password problem, my password is variable and based on a specific algorithm that only I know, so this way I can keep the same password, but one hack doesn't modify my password everywhere. The problem with a hardware solution to the password is that unless everyone accepted the same encryption method then I would need as many (or more) hardware solutions as I have keys. For example just at work I have different passwords for timecards, evaluations, network security, internal websites, etc... and what's worse is they all run on different time schedules to rename the password and have different algorithms for the passwords, so even in a simple password environment, it's impossible to keep things in sync, unless everyone standardized on the same encryption method, the hardware solution would be even worse.

    Of course due to this widespread password usage, security has gotten worse because people now write their passwords down and post them to computers. Even if hardware could solve the problem and be surgically embedded into you (so you couldn't leave it behind), what would stop a thief from digging the chip out of you?
    pramseycom
  • It's a good idea

    The YubiKey is a good choice. It's waterproof and very hard to break. Since it's both NFC and USB it can work with both computers and NFC-enabled smartphones.

    Sure you can lose it, but you can also lose your car keys, credit cards and cash. There will need to be a good way to disable the old key and get a new one quickly.

    I don't think they'll ever get rid of passwords entirely because some people will be willing to trade security for convenience, but if security is important to you, you'll get something like this and you'll avoid losing it.
    AlanK1
  • Body Security?

    A few years ago there were news stories of Japanese companies using lip print readers to authenticate employee access to their computers (and possibly rooms). Aside from the sanitary logistics (keeping a handy supply of disposable transparent covers), I would hate thinking that I have to KISS the computer to get it to work for me (unless it had a voice like Siri, LOL).

    I have also heard of retina scanners, and the Dan Brown novel "Angels and Demons" told of a way that a sufficiently ruthless criminal could defeat them: the bad guy killed an authorized person and gouged out his eye! Similar ideas would work for palm prints and finger prints, unless the sensors also required infrared radiation from a warm body to show that blood was still circulating. And even then, by the time the bad guy discovered this, you, the authorized user, would STILL be out an eye or a hand, and/or DEAD.

    Speaking of voices, how about voiceprint recognition of a randomly selected phrase displayed on the screen (to avoid using a recording)? If you have a sore throat, the voice recognition system would log the fact that you are probably contagious and should be given sick leave!
    jallan32
    • Eye Scanner not work on dead person

      The eye scanner records the retina as it appears on a live person. Once the person is dead or the eye is removed from the person, the blood vessels in the eye retina die and thus change and are no longer recognizable to the scanner. That's why this is one of the methods used in the highest security levels of corporate or military. It can't be faked or fooled.
      Don Bird Man
    • Body Problems

      Don Bird Man is right about the retina scanner - it has to be a still-live person. Of course, you could be holding a gun to the other side of the guy's head and forcing him to look at the scanner!

      Other ways are also somewhat fraught - I wrote a system that watched your keystrokes as you entered your password - not only had the password to be right but the typing pattern had to match your original pattern. It worked great until there was a lunchtime party and people came back to work after 3 or 4 beers ... their typing coordination was off enough that they were all rejected :) Luckily the boss thought it highly amusing!
      LeMike
  • Memory held secrets ?

    The idea of carrying something around to prove you're who you say you are, dates back to signet rings used hundreds of years ago, and eagerly awaiting the arrival of a technical miracle - in the form of a piece of wizardry you carry around with you - is a complete waste of time. Once such a device falls into the wrong hands, it's game over (and I include embedded NFC chips, which desperate thieves might be tempted to remove, in this category).

    By the same token, biometrics are no panacea. If thieves break into the core secrets database and mess with the contents, again it's game over. Users can't be given new fingerprints or irises.
    The only thing that works is a good mentally held secret, which strongly authenticates the user, without the secret itself being revealed.
    For more on this see www.pinplus.net
    HelenReinson
    • PinPlus

      Interesting, Helen. I use this technique to remember some of my passwords that have to be changed frequently - I don't remember the password per se, rather I remember the basic pattern of key presses (and how they relate to each other) and an offset (start-point). It's just the start-point that changes. As you might expect I have some pretty unrememberable passwords :)
      LeMike
  • NFC

    About 7 years ago, I had a new Toshiba laptop with a biometric security device. As I understand it, this biometric device stored your passwords in a "vault", then when you accessed the device with fingerprints you previously registered, you would gain access. I liked the idea, but not necessarily the implementation. I could see potential, but also problems to be worked out. For instance, I never had a problem using this fingerprint scanner, but it did take practice to make it reliable, and my wife just never could make it work. Why not a retina scanner? I could see an adaptation of "Red Laser" for this, why not, if smart phone cameras are so good now, it could read your retina.
    But then, Red Laser is a software program, and all software can be falible, can't it?
    RFI devices work off NFC scanners, don't they? What about people walking next to you in a crowd with an NFC scanner designed to capture these codes?
    retmico
  • I give it 6 months

    Till hackers find a way to beat this. It's a chip with programming. It can be reverse engineered to see how it works. Then a new program can be created that will break the code used to create authentication.
    cuulblu