Would you trust Google alternatives to the password: an USB-based card from Yubico?
I know, it can be difficult to remember your login information for a variety of online services or to create a strong password that you’ll actually remember. Worse, even with good passwords, you can still be cracked, hacked, or phished. Would you trust, the search giant Google’s alternatives to the password: an USB-based card from Yubico? But what other options do we have? Let us know your concerns or excitement – or both!
To make logging into online services more secure, Google thinks it might have found an answer, a tiny microchip embedded in a USB-inserted “Yubico key” or even in a near-field-activated ring worn on a finger.
The Yubikey, which is believed to have been tested by Google, can automatically log users onto all their accounts without ever asking for a password by placing it into a Google laptop.
The tiny key can be used in any machine with a USB drive, and acts as a physical “key” to unlock the user’s account.
Two ways the Google imagine changing the password?
- A smartphone or smart-card ring that you wear that can authorize a new computer to give you access to certain sites or to the machine itself.
- Plugging a customized USB drive into the computer while you are browsing that automatically logs you in to sites. When you take out the USB drive, the sites no longer give you access.
As revealed by Wired, “We’d like your smartphone or smartcard-embedded finger ring to authorize a new computer via a tap on the computer, even in situations in which your phone might be without cellular connectivity,” said Google Vice President of Security Eric Grosse, who penned an article on the subject for IEEE Security & Privacy Magazine along with Engineer Mayank Upadhyay.
Google says it is working on an internal pilot with an experimental USB device that users first register with multiple websites where they have accounts. A compliant browser would make two new APIs (application programming interfaces) available to the website to be passed down to the attached device.
“One of these APIs is called during the registration step, causing the hardware to generate a new public-private key pair and send the public key back to the website,” the paper explains. “The website calls the second API during authentication to deliver a challenge to the hardware and return the signed response.”
But it can also be a pain. Grosse, Google’s vice president of security, and Upadhyay, an engineer, say “not nearly enough of our users are protected” by the two-step service. In the paper, they propose an alternative: a “USB token” tied to the user that plugs into a computer’s USB port, communicates its identity via a website, and in so doing grants the user access to his or her accounts, without the need for passwords.
Yubico tweeted today that “many apps can bypass the YubiKey login if it is lost or issue a temporary token code.” Multiple tokens can also be used – “it depends on the application and security selected,” Yubico said.
Google’s latest pilot program works to get your passwords OFF of your computer and into your hand with USB cards called Yubikeys.