A news report on Wired claims that Google is looking into alternative ways of authentication to substitute the good-old password. According to the same source, the password as we know is vulnerable to social engineering attacks and hacking, not to mention leaks.
In Google’s vision, future authentication mechanisms are based on hardware rigged with a cryptographic authentication mechanism – a spin-off of what Yubico did with their YubiKey, but without the LastPass software that is required by the key.
Looks like a good idea, doesn’t it? After all, who has all the time in the world to create and memorize all those complicated passwords infosec advises you to set? Well, there’s much more to passwords.
Hardware authentication has been around for years, there’s no news in it. I have $400 worth of authentication hardware on by business laptop in the form of a smart card reader that has not been used even once in more than two years. That is not because I’m reluctant to new technologies (I just said that it’s not new), but rather because of limited support – I can only log into Windows or some intranet applications that have been designed for this specific purpose. I can’t use it on websites.
Secondly, I don’t want to rely on a physical authentication mechanism that can easily be removed from my wallet while I’m off for a smoke, or, better yet, get lost or stolen along with my wallet.
There are quite a number of reasons about why I don’t see the use of thumb drives as a viable solution for the future: authenticator loss or theft (along with or without the very laptop it has been plugged in), or lack of compatibility (I don’t know how many USB ports your smartphone has, but mine has only one and I’m usually keeping it for recharging, not authentication purposes).
Last, but not least, the introduction of an universal authentication mechanism based on hardware simply gives me the chills. We have always advised users on the benefits of using different, non-repetitive passwords for all accounts in order to minimize the scope of a successful hack into one of their accounts. Using a hardware authentication mechanims for all the accounts is just like putting all eggs into one basket.
So what’s the alternative?
Fingerprints or other biometrics. They are nearly impossible to forge, are always “at hand” and hardware for this has been implemented, tested and proven relatively successful.
What gives, Google?