Google looks to ditch passwords for good with NFC-based replacement

Google engineers are looking at ways to stop using passwords, which they believe are no longer enough to keep users safe.
Written by Liam Tung, Contributing Writer

Google engineers are testing new tools that could replace passwords as the primary way of authenticating identity on the web.

Google is currently running a pilot that uses a YubiKey cryptographic card developed by Yubico — a startup operated out of Sweden and the US, which has produced a two-factor authentication fob that can emit encrypted one-time passwords to NFC-enabled smartphones.

YubiKey NEO fob
The YubiKey NEO fob. (Credit: Yubico)

Google vice president of security Eric Grosse and engineer Mayank Upadhyay will detail the pilot — along with other ways people may be logging into websites in the future — in a research paper to be published in the IEEE Security and Privacy Magazine later this month.

"Along with many in the industry, we feel passwords and simple bearer tokens such as cookies are no longer sufficient to keep users safe," Grosse and Upadhyay wrote in their paper, according to a Wired report.

The pair does not imagine that passwords will completely disappear, but that they will have a less significant role in authenticating ID, playing second fiddle to smartphones or chip-embedded things as the primary authenticator.

"We'd like your smartphone or smartcard-embedded finger ring to authorize a new computer via a tap on the computer, even in situations in which your phone might be without cellular connectivity," Wired quoted the pair as saying, hinting at the use of NFC capabilities already available in smartphones such as Samsung's Galaxy S3.

The pair's experiment with YubiKey used a log-in process that involves simply plugging a card into a USB reader and clicking the mouse. They were able to do this using a modified version of Chrome, according to Wired.

For the pilot to move beyond a "speculative" stage, the Google engineers acknowledge that other websites will need to support the approach, but say they have developed a device-based authentication protocol that is independent of Google.

As for Yubico, the company announced in November last year that at the request of online service providers, it was putting its NFC-enabled YubiKey NEO into production, using chips from Dutch semiconductor maker NXP.

The YubiKey NEO can be tapped on an NFC-enabled smartphone, which reads an encrypted one-time password emitted from the key fob.

Editorial standards