Establishing Digital Trust: Don't Sacrifice Security for Convenience
Wired reports that Google's Eric Grosse and Mayank Upadhyay will soon publish a research paper in IEEE Security & Privacy Magazine that describes several methods of logging into Web sites that don't rely on passwords.
"'Along with many in the industry, we feel passwords and simple bearer tokens such as cookies are no longer sufficient to keep users safe,' Grosse and Upadhyay write in their paper," reports Wired's Robert McMillan. "Thus, they’re experimenting with new ways to replace the password, including a tiny Yubico cryptographic card that -- when slid into a USB (Universal Serial Bus) reader -- can automatically log a web surfer into Google. ... They see a future where you authenticate one device -- your smartphone or something like a Yubico key -- and then use that almost like a car key, to fire up your web mail and online accounts."
"Because carrying around another device may not prove popular among consumers, Google suggests the authentication device could be integrated into a smartphone or even a piece of jewelry," writes Computerworld's Zach Miners. "The device would be able to authorize a new computer for use with a single tap, even in situations in which the phone might be without cellular connectivity."
"As for Yubico, the company announced in November last year that at the request of online service providers it was putting its NFC-enabled YubiKey NEO into production, using chips from Dutch semiconductor maker, NXP," notes ZDNet's Liam Tung. "The YubiKey NEO can be tapped on an NFC-enabled smartphone, which reads an encrypted one-time password emitted from the key fob."https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
"The Google team admits others already offer authentication via hardware, but it has yet to take off," writes Threatpost's Anne Saita. "Perhaps with the power and cache that comes from the brand, more sites will agree to beta and more web surfers will be convinced to use it. 'Others have tried similar approaches but achieved little success in the consumer world,' they write. 'Although we recognize that our initiative will likewise remain speculative until we’ve proven large scale acceptance, we’re eager to test it with other websites.'"