Wired’s image of a Yubico card: the new password

Google is looking to change the password game. No longer will you have to remember complex password phrases, or give away incredibly stupid ones (password1, we’re looking at you), but simply tap a ring on a computer, or insert a USB drive.

Remembering a password is important these days. In the early nineties the most important password was “Ken sent me”, but forgetting that wasn’t the end of the world, just Larry’s. Today if you lose your password, or some untoward gets hold of it your life can be made very difficult.  Wired has made its readers very very aware of this by recounting in excruciating detail the life of its own, Mat Honan, after his Gmail account got hacked.

Honan’s hackers “took over his Twitter handle and posted racist messages. And they remote-wiped his iPhone, iPad, and laptop computer, deleting a year’s worth of e-mails and photographs. In short, they erased his digital life.” Shame. At least he got to write 100 extra articles for Wired.

If only Honan had some of the tech Google’s Vice President of Security Eric Grosse and Engineer Mayank Upadhyay outlined in the engineering journal IEEE Security & Privacy Magazine. They say the password is dead. Not as dramatic as Nietzsche, but it’ll do for the digital age.

Along with many in the industry, we feel passwords and simple bearer tokens such as cookies are no longer sufficient to keep users safe.

So, according to Wired

they’re experimenting with new ways to replace the password, including a tiny Yubico cryptographic card that — when slid into a USB (Universal Serial Bus) reader — can automatically log a web surfer into Google. They’ve had to modify Google’s web browser to work with these cards, but there’s no software download and once the browser support is there, they’re easy to use. You log into the website, plug in the USB stick and then register it with a single mouse click.

They see a future where you authenticate one device — your smartphone or something like a Yubico key — and then use that almost like a car key, to fire up your web mail and online accounts.

Just don’t lose your Yubico key.

Grosse and Upadhyay  writethat they’d “like your smartphone or smartcard-embedded finger ring to authorize a new computer via a tap on the computer, even in situations in which your phone might be without cellular connectivity.”

The snag is that other websites need to be onboard for this to work. The Googlers acknowledge this. “Others have tried similar approaches but achieved little success in the consumer world,” they write. “Although we recognize that our initiative will likewise remain speculative until we’ve proven large scale acceptance, we’re eager to test it with other websites.”

It is an interesting approach, but still a little way off. Until then we recommend using google’s 2-step verification, and registering strong passwords. So no admin, qwerty, hello, or password.

[Source: Wired]