Google launches pilot project to get rid of passwords
Posted: Jan 22nd, 2013, 9:17 am
Lesley Ciarula Taylor
Staff Reporter
You may think 3%oiH[nk&R is a good password but Google knows you’re wrong.
The Internet giant has launched a pilot project with encryption key company Yubico to find a way to replace passwords for all of its services.
“We feel passwords and simple bearer tokens such as cookies are no longer sufficient to keep users safe,” Google vice-president of security Eric Grosseand engineer Mayank Upadhyay write in a research paper to be published this month, Wired magazine reported.
Stina Ehrensvard, founder and CEO of Yubico, confirmed the project for the Toronto Star and explained why Google has to act quickly to replace passwords.
“There are no security threats that cannot be addressed with one-time password technology,” Ehrensvard said.
Yubico, a five-year-old California company whose clients include the U.S. Defense Dept., makes thumb- and quarter-sized encryption keys and wearable rings that plug into ports on PCs, laptops and smartphones and spit out new passwords with each sign-on.
If you lose your key or ring, you cancel it the way you would a credit card and get a new one. Users could go back to using their old passwords for the time being but like credit cards, they can get you a new one quickly and give you emergency access in the meantime.
Yubico is not the only encryption company Google is talking to, Ehrensvard said. But the pilot project is well on its way to reality.
“This is a game changer. However, in order for it to be really fully adopted, browsers also need to adopt it.
“ID theft is costing more than $1 trillion every year. If we don’t solve the problem, the whole creation of the Internet will be in serious trouble.
“Every organization that has a cloud-based business has a reason to be worried and a reason to do something.”
As Google and the banks, governments and corporations it deals with move on to the cloud (the Internet-based remote network of data), their vulnerability in a password-based security system increases and Google knows it has to solve that problem, she said.
The U.S. military think-tank Defense Advanced Research Projects Agency (DARPA) in 2011 put out a call for developers to create a system to replace old technology and insecure passwords that would identify unique characteristics of each user.
“The age of the password is over. We just haven’t realized it yet,” Wired editor Mat Honan wrote in November. Honan famously had his entire identity hacked last summer and wrote about it, spurring a half-million people to sign up for Google’s two-step password authentication process.
“Our digital lives are just too easy to crack. With two minutes and $4 to spend at a sketchy foreign website, I could report back with your credit card, phone and Social Security numbers and your home address.
“Five minutes more and I could be inside your accounts for, say, Amazon, Best Buy, Microsoft and Netflix,” Honan wrote.
Users have resisted tokens and encryption keys because passwords are simple and don’t require remembering where you put them, said Ehrensvard
“In real life, you have a token to lock your house. In the physical world, if we see someone has been in our homes, we do not accept that but for some reason we don’t have the same perception in the Internet world,” she said.
“Although often we have more sensitive information in our digital world than in our houses.”
Google recognizes the hurdles it faces.
“Others have tried similar approaches but achieved little success in the consumer world,” Google’s Grosse and Ypadhyay write in the engineering journal IEEE Security and Privacy Magazine, Wired reported.
“Although we recognize that our initiative will likewise remain speculative until we’ve proven large scale acceptance, we’re eager to test it with the other websites.”
http://www.thestar.com/business/article ... -passwords
Staff Reporter
You may think 3%oiH[nk&R is a good password but Google knows you’re wrong.
The Internet giant has launched a pilot project with encryption key company Yubico to find a way to replace passwords for all of its services.
“We feel passwords and simple bearer tokens such as cookies are no longer sufficient to keep users safe,” Google vice-president of security Eric Grosseand engineer Mayank Upadhyay write in a research paper to be published this month, Wired magazine reported.
Stina Ehrensvard, founder and CEO of Yubico, confirmed the project for the Toronto Star and explained why Google has to act quickly to replace passwords.
“There are no security threats that cannot be addressed with one-time password technology,” Ehrensvard said.
Yubico, a five-year-old California company whose clients include the U.S. Defense Dept., makes thumb- and quarter-sized encryption keys and wearable rings that plug into ports on PCs, laptops and smartphones and spit out new passwords with each sign-on.
If you lose your key or ring, you cancel it the way you would a credit card and get a new one. Users could go back to using their old passwords for the time being but like credit cards, they can get you a new one quickly and give you emergency access in the meantime.
Yubico is not the only encryption company Google is talking to, Ehrensvard said. But the pilot project is well on its way to reality.
“This is a game changer. However, in order for it to be really fully adopted, browsers also need to adopt it.
“ID theft is costing more than $1 trillion every year. If we don’t solve the problem, the whole creation of the Internet will be in serious trouble.
“Every organization that has a cloud-based business has a reason to be worried and a reason to do something.”
As Google and the banks, governments and corporations it deals with move on to the cloud (the Internet-based remote network of data), their vulnerability in a password-based security system increases and Google knows it has to solve that problem, she said.
The U.S. military think-tank Defense Advanced Research Projects Agency (DARPA) in 2011 put out a call for developers to create a system to replace old technology and insecure passwords that would identify unique characteristics of each user.
“The age of the password is over. We just haven’t realized it yet,” Wired editor Mat Honan wrote in November. Honan famously had his entire identity hacked last summer and wrote about it, spurring a half-million people to sign up for Google’s two-step password authentication process.
“Our digital lives are just too easy to crack. With two minutes and $4 to spend at a sketchy foreign website, I could report back with your credit card, phone and Social Security numbers and your home address.
“Five minutes more and I could be inside your accounts for, say, Amazon, Best Buy, Microsoft and Netflix,” Honan wrote.
Users have resisted tokens and encryption keys because passwords are simple and don’t require remembering where you put them, said Ehrensvard
“In real life, you have a token to lock your house. In the physical world, if we see someone has been in our homes, we do not accept that but for some reason we don’t have the same perception in the Internet world,” she said.
“Although often we have more sensitive information in our digital world than in our houses.”
Google recognizes the hurdles it faces.
“Others have tried similar approaches but achieved little success in the consumer world,” Google’s Grosse and Ypadhyay write in the engineering journal IEEE Security and Privacy Magazine, Wired reported.
“Although we recognize that our initiative will likewise remain speculative until we’ve proven large scale acceptance, we’re eager to test it with the other websites.”
http://www.thestar.com/business/article ... -passwords