Feeds

First Google wants to know all about you, now it wants a RING on your finger

For those who've always wanted to give the web giant the finger

Reducing security risks from open source software

Top Google bods are mulling over using cryptographic finger-ring gadgets and other ways for users to securely log into websites and other services.

The ad giant's security veep Eric Grosse and engineer Mayank Upadhyay have submitted the paper Authentication at Scale to the IEEE Security & Privacy Magazine; their central argument is that weak passwords are a bigger threat to online security than malware infection, hacker attacks or espionage. Passwords, as they stand, need to go, in the pair's opinion, but this process won't happen overnight:

In working to keep cloud computing users' data safe, we observe many threats - malware on the client, attacks on SSL, vulnerabilities in web applications, rogue insiders, espionage - but authentication related issues stand out amongst the biggest. When trying to help hundreds of millions of people from an unbelievable variety of endpoints, attitudes, and skill levels, what can possibly displace plain old passwords? No single thing, nothing overnight, and nothing perfect. A combination of risk-based checks, second-factor options, privacy-enhanced client certificates, and different forms of delegation is starting to find adoption towards making a discernible difference.

Google introduced a two-stage login process for its Gmail website two years ago. This optional two-factor verification adds an extra layer of security to Google accounts by linking them to a registered mobile phone number. Users are asked for a code sent to them by text every time they try to log into their accounts from a new computer, a minor inconvenience for legitimate users that makes life far trickier for account hijackers and other criminal hackers.

Looking further ahead, Google is experimenting with Yubico cryptographic USB cards that generate one-time passcodes (OTP) for logging into websites. The YubiKey combines a public ID number unique to the key with a series of bytes generated on the fly to produce a one-off code that, when used with an account username and password, will log the user into the service for that one particular session. The magic code consists of a secret value, a timestamp, some counters and a few random bytes encrypted using 128-bit AES, and then inputted into the computer via USB as if typed into a keyboard.

Pressing the gold disc-like button on the keyboard generates and outputs the new unique code; the incrementing counters ensure no one can copy and reuse the OTP, and the public ID number in the key links the gadget to the account username. One step on from that involves replacing the USB connection with wireless radio tech and building it into a finger-ring. And then getting enough websites and services to use it.

“We’d like your smartphone or smartcard-embedded finger ring to authorize a new computer via a tap on the computer, even in situations in which your phone might be without cellular connectivity,” Grosse and Upadhyay wrote.

“Others have tried similar approaches but achieved little success in the consumer world. Although we recognize that our initiative will likewise remain speculative until we’ve proven large scale acceptance, we’re eager to test it with other websites.”

It is understood Grosse and Upadhyay have developed a protocol for device-based authentication independent of Google that will also prevent websites from tracking users. ®

Mobile application security vulnerability report

More from The Register

next story
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Microsoft: You NEED bad passwords and should re-use them a lot
Dirty QWERTY a perfect P@ssword1 for garbage websites
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
L33t haxxors compete to p0wn popular home routers
EFF-endorsed SOHOpelessly Broken challenge will air routers' dirty zero day laundry
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
British data cops: We need greater powers and more money
You want data butt kicking, we need bigger boots - ICO
Crooks fling banking Trojan at Japanese smut site fans
Wait - they're doing online banking with an unpatched Windows PC?
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Mobile application security vulnerability report
The alarming realities regarding the sheer number of applications vulnerable to attack, and the most common and easily addressable vulnerability errors.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.