Let’s face it, using passwords to authenticate into a system is a broken mess. To be effective, passwords need to be unique, long, complex, and frequently changed, which may be acceptable in a tightly controlled enterprise medium, but simply does not work when it comes to consumers.
Even with solid passwords in place, there are still ways for hackers to break in, from brute force attacks, to vulnerabilities in databases, to phishing and other forms of social engineering.
Apple’s Touch ID fingerprint sensor on the iPhone 5s again brought to attention authentication systems that work without passwords. Android manufacturers such as HTC, LG, and Samsung are also reportedly planning to equip their upcoming devices with fingerprint sensors.
Google, however, may be taking a different approach. Instead of relying on biometric scanners, the Mountain View giant is reportedly going to offer consumers smart tokens that work like keys to their Google accounts.
A physical key to your virtual life
According to the Wall Street Journal, Google is currently testing internally authentication tokens made by Silicon Valley-based startup YubiKey. The tokens, called YubiKey Neo, are similar to the small devices that you might be using to log in to your internet banking account, with a difference: instead of having to enter a PIN and then to type the code returned by the token on the website, you only have to plug in the YubiKey Neo into an USB port on your computer, no codes required.
Moreover, thanks to NFC, you can use YubiKey Neo with a smartphone, tablet, or other NFC-enabled device. Whenever you have to log into Google, you’ll be able to simply touch your token to the device, no password, PIN, or typing required.
Google’s Mayank Upadhyay, a security director, says that the YubiKey tokens “raised the standard of security for [Google] employees beyond what was commercially available”. The engineer claims the solution works “very seamlessly for people in their day-to-day workflow”
Google plans to offer YubiKey Neo tokens to consumers next year. It’s not clear yet whether the company will offer the solution to Google Apps users first or to all users. YubiKey currently sells the YubiKey Neo token (which doesn’t require a battery, weighs just a few grams, and is billed as “practically indestructible”) for $50 to retail customers, though it’s likely that Google will be able to get a far better deal.
What happens if you lose your YubiKey or if it is stolen? You’ll be able to temporarily or permanently disable it through a web app or by calling a support line.
If everything goes to plan, YubiKey could make logging into Gmail and other accounts safer, simpler, and faster. You’ll have to have your token on hand, but that seems a small inconvenience compared to the benefits brought by the solution, and passwords remain as a failsafe option.