In a forthcoming paper, Google engineers float the idea of supplementing passwords with hardware that you wear. Or carry. Or slip onto a finger.
Hardly a day goes by without some high-profile person's — along with countless people of lower profile — account hacked. Weak password, stolen password, non-existent password; whatever the cause, breaking into our digital lives is easy — and getting easier.
That's why Google has said that passwords are no longer the best solution for sensitive accounts. "We contend that security and usability problems are intractable," wrote Google's Eric Grosse and Mayank Upadhyay, in an article to be published later this month in IEEE Security & Privacy. "It's time to give up on elaborate password rules and look for something better".
One idea: a ring that authenticates a user's identity so a password doesn't have to.
As first reported by Wired, "something better" will likely involve hardware. Google has already made a significant foray into this arena with two-step verification, which combines something the user knows (a password) with something the user has (a single-use code, sent to a smartphone connected to the account). The paper says that "millions" use two-step verification, and that it's among the largest services of its kind in the world.
But it can also be a pain. Grosse, Google's vice president of security, and Upadhyay, an engineer, said that "not nearly enough of our users are protected" by the two-step service. In the paper, they propose an alternative: a "USB token" tied to the user that plugs into a computer's USB port, which then communicates its identity via a website, and in so doing, grants the user access to his or her accounts without the need for passwords.
The authors noted, however, that it may be difficult to persuade people to buy USB tokens. Instead, they speculated, what if it was integrated into something a person was more likely to carry, which could communicate with the computer via near-field communication or Bluetooth?
"Some more appealing form factors might involve integration with smartphones or jewellery that users are likely to carry anyway," the authors said. "We'd like your smartphone or smartcard-embedded finger ring to authorize a new computer via a tap on the computer, even in situations in which your phone might be without cellular connectivity."
The article is well worth reading in full. It will be posted online by 28 January at this website, a spokeswoman said.