Gmail login without a password? Google to offer NFC-enabled tokens next year

September 16, 2013
Google is reportedly planning to offer consumers tokens that allow password-less authentication to Google accounts, in a bid to move beyond passwords.

YubiKey-NEO smartphone token password google Yubico

Let’s face it, using passwords to authenticate into a system is a broken mess. To be effective, passwords need to be unique, long, complex, and frequently changed, which may be acceptable in a tightly controlled enterprise medium, but simply does not work when it comes to consumers.

Even with solid passwords in place, there are still ways for hackers to break in, from brute force attacks, to vulnerabilities in databases, to phishing and other forms of social engineering.

Apple’s Touch ID fingerprint sensor on the iPhone 5s again brought to attention authentication systems that work without passwords. Android manufacturers such as HTC, LG, and Samsung are also reportedly planning to equip their upcoming devices with fingerprint sensors.

Google, however, may be taking a different approach. Instead of relying on biometric scanners, the Mountain View giant is reportedly going to offer consumers smart tokens that work like keys to their Google accounts.

A physical key to your virtual life

According to the Wall Street Journal, Google is currently testing internally authentication tokens made by Silicon Valley-based startup YubiKey. The tokens, called YubiKey Neo, are similar to the small devices that you might be using to log in to your internet banking account, with a difference: instead of having to enter a PIN and then to type the code returned by the token on the website, you only have to plug in the YubiKey Neo into an USB port on your computer, no codes required.

Moreover, thanks to NFC, you can use YubiKey Neo with a smartphone, tablet, or other NFC-enabled device. Whenever you have to log into Google, you’ll be able to simply touch your token to the device, no password, PIN, or typing required.

Here’s a technical explanation of how YubiKey works.

Google’s Mayank Upadhyay, a security director, says that the YubiKey tokens “raised the standard of security for [Google] employees beyond what was commercially available”. The engineer claims the solution works “very seamlessly for people in their day-to-day workflow”

Google plans to offer YubiKey Neo tokens to consumers next year. It’s not clear yet whether the company will offer the solution to Google Apps users first or to all users. YubiKey currently sells the YubiKey Neo token (which doesn’t require a battery, weighs just a few grams, and is billed as “practically indestructible”) for $50 to retail customers, though it’s likely that Google will be able to get a far better deal.

What happens if you lose your YubiKey or if it is stolen? You’ll be able to temporarily or permanently disable it through a web app or by calling a support line.

If everything goes to plan, YubiKey could make logging into Gmail and other accounts safer, simpler, and faster. You’ll have to have your token on hand, but that seems a small inconvenience compared to the benefits brought by the solution, and passwords remain as a failsafe option.

Comments

  • Luka Mlinar

    Loving this!

    • mobilemann

      I to am all for anything that gets rid of typing passwords into on screen keyboards!

  • SaintEnoch

    My first thought was “cool!” but this could be another method to track peoples’ movements.

    • Amadeus Klein

      Another method? Honestly if you own a Cell phone, mp3, computer, etc., you are track-able anywhere at anytime as long as it’s powered on so this risk is moot… Personally I would prefer this to a fingerprint as what if apple’s (or anyone else who joins this trend) database is hacked, you can’t change your fingerprints so now the hackers have your entry key for life, but you can change an NFC token and they may only have it for a day or two…

      • mobilemann

        apple’s said publicly, they won’t store thumb prints anywhere but on device.

        Also, they aren’t pictures FYI, lol.

        But yeah, it’s much easier to carry a key rather than your thumb. I always forget my thumb!

        • Amadeus Klein

          Not to be a smart ass, but: Do we really trust apple? Apple Tracks everything and many things we once thought they wouldn’t do (Location tracking ring a bell), and for real purchase security it would need to on the server side, otherwise someone could simply hijack the signal from the phone and spoof the “ok, the print matched” signal to the server to utilize someone’s apple account…

          Nobody said they were pictures, they are stored as data and data can be stolen from the phone, or the server….

          • mobilemann

            depends on how they are stored ~ and i do believe the vast majority of consumers trust apple. (as much as they trust Google, or Microsoft) They make their money on the hardware. They have no real reasons to not want the security tight there.

            Your not being a smart ass, but the comment is pretty ridiculous / hilarious all by itself. Do you trust google? Do you trust MS? I’m sure they needed to collect all the information about those wifi networks in their mapping cars, right? Can you point to apple every doing something similar? (disclaimer, i rock a gs3, and have pre-ordered a 32gb note 3)

            If you trust google to these things, and no other company (when google makes most of it’s money on advertising) then you’re just seeing what you want to see anyway. It’s cool. I’ve given up on the people on this site being remotely fair to other operating systems. It’s to much for them.

          • Amadeus Klein

            I agree people trust Apple, And Trust Google, And Trust Microsoft, And Trust Samsung, And Trust Yahoo, etc…

            I trust both companies about as much as the percentage I make of their yearly income… So hardly at all. But that’s not from a fear of spying type of concern.

            I also choose not to live in the wild with no internet and no interaction with people. That said I accept the fact that giving these companies data is going to happen and they probably know me better than I do. But I would prefer not to have my security be something I have no ability to change. I have no fear that apple or any company will misuse it, it is the theft of it that concerns me…

            I’m not holding Google blameless, but this is something apple is doing, when Google implements fingerprint tracking I will not change my opinion, as it would be just as at risk.

            But biometric security is the future of tech, whether voice recognition, fingerprint, retina, it is coming and how to protect that information is a real concern….

          • mobilemann

            i installed a biometric system for door authentication in midtown, NYC maybe 10 years ago. (security of the future!) There is no way, unless things have drastically changed, that anyone would ever be able to derive your thumb print, from what’s basically coordinates for random valley’s and mountains in your thumb print; unless stuff has changed 100%. (i wouldn’t know, i haven’t done that stuff since then)

            They connected through RS232 even:D

            i think the thumb print system is like the 4 digit code, or the pattern (actually the pattern is by far the easiest to guess, thanks to skin oil’s.) it’s a medium level of security; like 4 digit codes are.

  • MasterMuffin

    Brute force isn’t an option anymore, because isn’t there a time lock after few tries that makes it too slow? Anyways this should come with every Nexus!

    • Luka Mlinar

      Why would you try to brake into fort knox when you got a shed next door that uses the same key ;)

      • MasterMuffin

        Yea totally works that way :D

    • John doe

      Brute forcing is still an option. If you have big list of proxies and have your brute force program ban the proxy when it detects that it is banned from the website for too much tries, you will be fine.

      • MasterMuffin

        That’s really slow!

  • Mayoo

    What a cool innovation. I’m sure Apple will want to do the same … oh wait … they can’t until the next version after the one that was just announced.

    Hehe silly Apple engineers, NFC is for Android!

    • MasterMuffin

      “We haz finkerbrints!!”

    • mobilemann

      i’m pretty sure keychain wallet and the thumb print reader are apple doing it. (before google)

  • End in sight

    Normally I don’t like jewelry, but I’ll take mine in the shape of a ring please. As long as a little USB connector folds out when needed.

    +1

  • lefty44

    How much I like the idea of increased security, my key chain really don’t need another plastic thingy. I have my SecurID for work, four different key tags for access to various buildings at work and home. And oh, right, I have my regular keys as well…

  • Oli72

    Sign me up.

  • APai

    I read it as NSA enabled tokens :P

  • Balraj

    Carry it everywhere…?? I mean everywhere? :/
    It’s gonna be a very loooong process…I have lost half my belief in Google after Wi-Fi issue…
    Google+ ppl using Google= public(no privacy)

  • sam

    Anything other than a Pin pattern or password is idiotic. If someone wants to get into your phone badly enough they could easily attack you and just use your fingerprint to get into the phone. or the same with the face unlock on android 4.0+. However with a pin pattern or password they can’t exactly “make” your brain enter the password. Because if you have stuff that is important enough then you just won’t give up your password.

  • David Kinder

    I really don’t like fingerprints for security as I feel they are a mere convenience at best. But the one thing they do have up on this is that your finger is a physical token that you always have with you. Maybe someone should just diy their own NFC implant. :)

  • Roberto Gil

    If you cant remember your gmail password go to:

    http://gmailsigninhelp.com

  • Emre