Feeds

First Google wants to know all about you, now it wants a RING on your finger

For those who've always wanted to give the web giant the finger

The Power of One eBook: Top reasons to choose HP BladeSystem

Top Google bods are mulling over using cryptographic finger-ring gadgets and other ways for users to securely log into websites and other services.

The ad giant's security veep Eric Grosse and engineer Mayank Upadhyay have submitted the paper Authentication at Scale to the IEEE Security & Privacy Magazine; their central argument is that weak passwords are a bigger threat to online security than malware infection, hacker attacks or espionage. Passwords, as they stand, need to go, in the pair's opinion, but this process won't happen overnight:

In working to keep cloud computing users' data safe, we observe many threats - malware on the client, attacks on SSL, vulnerabilities in web applications, rogue insiders, espionage - but authentication related issues stand out amongst the biggest. When trying to help hundreds of millions of people from an unbelievable variety of endpoints, attitudes, and skill levels, what can possibly displace plain old passwords? No single thing, nothing overnight, and nothing perfect. A combination of risk-based checks, second-factor options, privacy-enhanced client certificates, and different forms of delegation is starting to find adoption towards making a discernible difference.

Google introduced a two-stage login process for its Gmail website two years ago. This optional two-factor verification adds an extra layer of security to Google accounts by linking them to a registered mobile phone number. Users are asked for a code sent to them by text every time they try to log into their accounts from a new computer, a minor inconvenience for legitimate users that makes life far trickier for account hijackers and other criminal hackers.

Looking further ahead, Google is experimenting with Yubico cryptographic USB cards that generate one-time passcodes (OTP) for logging into websites. The YubiKey combines a public ID number unique to the key with a series of bytes generated on the fly to produce a one-off code that, when used with an account username and password, will log the user into the service for that one particular session. The magic code consists of a secret value, a timestamp, some counters and a few random bytes encrypted using 128-bit AES, and then inputted into the computer via USB as if typed into a keyboard.

Pressing the gold disc-like button on the keyboard generates and outputs the new unique code; the incrementing counters ensure no one can copy and reuse the OTP, and the public ID number in the key links the gadget to the account username. One step on from that involves replacing the USB connection with wireless radio tech and building it into a finger-ring. And then getting enough websites and services to use it.

“We’d like your smartphone or smartcard-embedded finger ring to authorize a new computer via a tap on the computer, even in situations in which your phone might be without cellular connectivity,” Grosse and Upadhyay wrote.

“Others have tried similar approaches but achieved little success in the consumer world. Although we recognize that our initiative will likewise remain speculative until we’ve proven large scale acceptance, we’re eager to test it with other websites.”

It is understood Grosse and Upadhyay have developed a protocol for device-based authentication independent of Google that will also prevent websites from tracking users. ®

Designing a Defense for Mobile Applications

More from The Register

next story
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.