Google is researching a way to kill the password, this time with a magic ring.
No, it isn’t a weird metaphorical movie plot. The idea is to use a trinket that plugs into the USB slot on a computer and authenticates the user.
At the RSA Security conference in San Francisco, Mayank Upadhyay, a principal engineer at Google who specializes in security, said the experience of logging on to a computer or website should be as simple as using an ATM machine, which is why the company is looking into the USB technology as an alternative to passwords.
Overall, passwords don’t work well for many people. That’s because people either have too many and need to write them down — violating rule number one of password security — or they have one that they use in several places, increasing their security risk.
Carrying a token could make authentication easier, because a person wouldn’t have to remember all those passwords.
Google’s prototype is a USB drive mounted on a ring or other small piece of jewelry that uses a piece of digital information knows as a cryptographic key. It’s a bit of software that serves as the encoding and decoding method for secret communications. Cryptographic keys used in computer systems are based on complicated mathematical algorithms, but their purpose is simple: encode a message so that it’s unreadable to anyone else but the intended recipient and read a coded message that’s meant only for you.
Here’s how it would work. Let’s say you want to access your checking account information from your bank’s website. First, you must register your cryptographic key with the bank. That would involve inserting the USB drive into your computer, logging onto the bank’s website and walking through a couple of authentication prompts, similar to how creating a new account works already.
During this process, two software keys get generated: one public and one private. The public key gets sent to the bank’s website for use later. The other remains stored on the USB drive.
Later, if you want to transfer money from your checking account to your savings, you visit the website with your USB key inserted in your computer. At the bank’s website, a login screen would pop up, but instead of entering your username and password, you would click a button that said “authenticate” — or even skip that step altogether. The bank uses the public crytopgraphic key created during registration to encode a message that it sends to your USB drive. That message is a mathematical “challenge” that can only be solved by the private key stored on your USB drive.
This kind of public-private key encryption is common; it relies on the fact that some mathematical operations are hard to reverse. For instance, multiplying 3 and 18 is easy to do, but factoring out the result — 54 — into the smallest possible prime numbers (1, 3, 3, 3, and 2) is harder, because you have to do more mathematical steps. Encrypting a message with the public key is like multiplying the two numbers, and the decryption process is like factoring the result and looking for two specific numbers. If you want to decode the message without the key, you don’t know if the numbers you want are 2 and 3, 3 and 3, or 1 and 3, or possibly some other combination like 6 and 9. That’s what makes this kind of cryptography work so well — a big number has billions of possible combinations of factors.
Because a user is not typing in a password, she is safe from hackers who may be using software that records keystrokes to steal her login information. And a cryptographic key also deals with “man in the middle” hacks, which involve someone monitoring the digital communications between a user and a website and stealing that information to be used later.
A magic ring certainly deals with the problem of password hacks, but it doesn’t necessarily address what happens if the user loses the USB drive. Of what happen if an unscrupulous person got a hold of the ring, he’d most likely be able to access secured websites, assuming he had enough information such as the user’s name. On the bright side, in this sense it is similar to losing your house or car keys — if someone finds your house keys, they can’t break into your home without knowing the address.
It does offer some neat ideas for a modern take on the “Lord of the Rings” movie, though. Would it involve a quest to drop a USB ring into an incinerator?
Credit: Wikimedia Commons