To help the Internet move on from usernames and passwords, Google wants to put a ring on it.
Google's engineers have been experimenting with hardware that would act as a master key for online services. Examples include a smart ring for your finger, a cryptographic USB stick, or a token embedded in smartphones. Google vice president of security Eric Grosse and engineer Mayank Upadhyay outline their proposal in a research paper for this month's IEEE Security & Privacy Magazine, according to a report in Wired.
The idea is to prevent remote hackers from accessing online accounts through stolen usernames and passwords. Without physically stealing the login device, they'd have no other way to gain entry.
Some Web services already offer this type of security through two-step authentication. For instance, when you sign into Gmail on an unrecognized PC, you can have Google send a text message to your phone with a validation code. Once you enter the code, Gmail can remember that PC indefinitely.
The problem with two-step authentication is that it's cumbersome to validate all your computers, and to go through the process just to check e-mail on a friend's computer. Signing in when your phone is out of service can be an issue as well, although Google does provide 10 backup codes for that situation.
A physical device--ideally one that could communicate wirelessly to computers--would make the process easier. "We'd like your smartphone or smartcard-embedded finger ring to authorize a new computer via a tap on the computer, even in situations in which your phone might be without cellular connectivity," Google's engineers write.
Of course, relying a ring or other device to log in raises its own challenges. There'd have to be a backup sign-in method--one that's more secure than just a password--in case the device becomes lost or damaged. And while a ring or other contact-based device would help protect users from faraway hackers, it'd be easier to steal by spouses, co-workers or children. Google's engineers admit that they might still need to require passwords, but those passwords wouldn't have to be as complex as today's hacker-proof formulas. Also, not everyone will want to wear a ring or carry their phones around all the time just to use their computers.
Web developers will have to get on board as well, or at least embrace services like Account Chooser, which would let larger services like Facebook or Google act as a master login for smaller sites. Otherwise, we'll still have to remember a whole lot of passwords for sites that don't except hardware-based authentication.