Google engineers are testing new tools that could replace passwords as the primary way of authenticating identity on the web.
Google is currently running a pilot that uses a YubiKey cryptographic card developed by Yubico — a startup operated out of Sweden and the US, which has produced a two-factor authentication fob that can emit encrypted one-time passwords to NFC-enabled smartphones.
Google vice president of security Eric Grosse and engineer Mayank Upadhyay will detail the pilot — along with other ways people may be logging into websites in the future — in a research paper to be published in the IEEE Security and Privacy Magazine later this month.
"Along with many in the industry, we feel passwords and simple bearer tokens such as cookies are no longer sufficient to keep users safe," Grosse and Upadhyay wrote in their paper, according to a Wired report.
The pair does not imagine that passwords will completely disappear, but that they will have a less significant role in authenticating ID, playing second fiddle to smartphones or chip-embedded things as the primary authenticator.
The pair's experiment with YubiKey used a log-in process that involves simply plugging a card into a USB reader and clicking the mouse. They were able to do this using a modified version of Chrome, according to Wired.
For the pilot to move beyond a "speculative" stage, the Google engineers acknowledge that other websites will need to support the approach, but say they have developed a device-based authentication protocol that is independent of Google.
As for Yubico, the company announced in November last year that at the request of online service providers, it was putting its NFC-enabled YubiKey NEO into production, using chips from Dutch semiconductor maker NXP.
The YubiKey NEO can be tapped on an NFC-enabled smartphone, which reads an encrypted one-time password emitted from the key fob.