Google Declares War on the Password # Dear @Wired, no, sorry, you’re again wrong about #password #security /cc @bobmcmillan

Quoth Google Declares War on the Password | Wired Enterprise | Wired.com:

MOUNTAIN VIEW, California — Want an easier way to log into your Gmail account? How about a quick tap on your computer with the ring on your finger?

…wait, no, stop already – it’s not even the first paragraph and you’re going wrong. I have already done this, long, long ago:

alec's java ring

This is my Java Ring and aside from anything else it was also an authentication token, so when you say:

This may be closer than you think. Google’s security team outlines this sort of ring-finger authentication in a new research paper, set to be published late this month in the engineering journal IEEE Security & Privacy Magazine.

…the issue is that I have already been down that path and know what happens; but – dearest Wired – you are so intent on being neophiles:

In it, Google Vice President of Security Eric Grosse and Engineer Mayank Upadhyay outline all sorts of ways they think people could wind up logging into websites in the future — and it’s about time.

2012 may have been the year that the password broke. It seemed like everyone on the internet received spam e-mail or desperate pleas for cash — the so-called “Mugged in London” scam — from the e-mail accounts of people who had been hacked. And Wired’s own Mat Honan showed everyone just how damaging a hack can be.

The guys who hacked Honan last August deleted his Gmail account. They took over his Twitter handle and posted racist messages. And they remote-wiped his iPhone, iPad, and laptop computer, deleting a year’s worth of e-mails and photographs. In short, they erased his digital life.

Yes, and howeverso tragic the experience was, the conclusions which Honan drew from the experience were misconceived

Passwords are a cheap and easy way to authenticate web surfers, but they’re not secure enough for today’s internet, and they never will be.

…and all of the problems with passwords are eminently addressable.  It’s not hard, really.

Google agrees. “Along with many in the industry, we feel passwords and simple bearer tokens such as cookies are no longer sufficient to keep users safe,” Grosse and Upadhyay write in their paper.

Thus, they’re experimenting with new ways to replace the password, including a tiny Yubico cryptographic card that — when slid into a USB (Universal Serial Bus) reader — can automatically log a web surfer into Google. They’ve had to modify Google’s web browser to work with these cards, but there’s no software download and once the browser support is there, they’re easy to use. You log into the website, plug in the USB stick and then register it with a single mouse click.

Authenticating with a card? Where have I seen that before? Oh yes, one of these:

sun-ray

…that’s a SunRay card. My SunRay card. Fabulous bit of technology, but – security geek though I am – it wasn’t the card authentication which made it valuable, it was the thin-client session mobility. The authentication was just a nicety, and you still required a password to unlock your session because, just like the ring, if someone stole your authentication token your security was compromised unless your second “factor” was informational – ie: a password.

They see a future where you authenticate one device — your smartphone or something like a Yubico key — and then use that almost like a car key, to fire up your web mail and online accounts.

Just like in 1998.

In the future, they’d like things to get even easier, perhaps connecting to the computer via wireless technology.

google: bluetooth proximity unlock

“We’d like your smartphone or smartcard-embedded finger ring to authorize a new computer via a tap on the computer, even in situations in which your phone might be without cellular connectivity,” the Googlers write.

You’ve seen those movies where bits get cut off people because of biometrics?

The future may not exactly be password-free, but it will at be least free of those complex, hard-to-remember passwords, says Grosse.

eg: by using 1password

“We’ll have to have some form of screen unlock, maybe passwords but maybe something else,” he says, “but the primary authenticator will be a token like this or some equivalent piece of hardware.”

The word “two” in “two factor authentication” rather negates the concept of “primary”; it’s not like We have received half the launch code, General, so we should launch half the missiles!

That means that if someone steals your card or your smart-ring, you’d better report it stolen pretty quickly.

Exactly so. I cannot take the rest of this article seriously; yes, more authentication is better, but cascading multiple forms of “what you have” is never going to be the right approach. You need to remember shit, just enough to bootstrap. See the summary.

ps: I have Yubikeys.  I play with them.  I love them:

combo-platter

…but I would never seriously trust to a system dependent upon them or any other token without a password; and ideally the token should be challenge-response.

 

4 thoughts on “Google Declares War on the Password # Dear @Wired, no, sorry, you’re again wrong about #password #security /cc @bobmcmillan

  1. alecm Post author

    ps: If we want to round out the set I probably have a dead DESGold challenge-response card somewhere. I also have a synchronous line encryptor with twin hardware keys. And maybe a DES chip.

    Reply
  2. Dave Walker

    Everything you said; very nice deconstruction. Kinda surprised the ex-Sun folk at Google don’t appear to have been listened to, on this.

    A further design flaw with Java rings (not the only one, of course….) is that they only came in one size, which was *way* too big.

    Reply
  3. Alan Burlison

    Google already have some sort of 2-factor thingy that requires your phone. Of course, one of the things I’m most likely to lose is my Android phone, and as it’s receiving push messages from google one of the first things I’m going to want to do is to lock it out from my google account – which requires me to have my phone to log in to google to lock it out…

    Reply

Leave a Reply