The password has become the black sheep of the security world, ostracized for its inability to actually protect users’ accounts and the laughable ease with which attackers can crack or circumvent them. Now, Google, the most powerful force on the Web, is experimenting with a method that would allow users to do away with passwords for the most part in favor of a hardware-based authentication method.
Google researchers have been looking at ways to improve authentication methods for some time now and have made some inroads on the problem. The most successful example of this is the company’s deployment of two-factor authentication for Gmail users. This option requires that users enter a one-time code sent via SMS to their mobile devices in addition to their main password in order to access their Gmail accounts. The method erects another barrier for attackers to get over in order to hack a Gmail account, a nice improvement.
But the two-factor authentication system still relies on a password. Google is working on a way to make the password much less important, if not entirely obsolete. The company has developed a method that enables people to use a hardware token to give them instant authenticated access to their Google accounts, including Gmail, Google Apps and other services, Wired reports. The system relies on a tiny smartcard that generates one-time passwords for authentication.
Password security has been a problem for decades and many other companies have attempted to solve it. However, no one has developed a successful replacement for passwords. But, then again, none of the companies trying to solve the problem has had the reach and influence Google has, so the potential for this idea to reach a broad audience is quite high. But that doesn’t mean that passwords are going to disappear any time soon.
“It is not yet Google’s stated intention to replace passwords with some other form of authentication; some of the company’s employees simply wanted to see how secure different authentication systems could be and USB tokens were among those they tried out. It’s more like a bit of research, though it’s not really clear how applicable it is for Google’s own services. Tokens like these are widely used on corporate networks, but using them to safeguard a free online mail account is excessive. It’s not the most convenient solution for users because it restricts their ability to check mail on any device, say at a friend’s or an internet café. And besides, there are other perfectly good methods of increasing security such as two-factor authentication with text messages, which is already used by Gmail,” said Alex Gostev, chief malware expert at Kaspersky Lab.
Widespread adoption of a method like the one Google is proposing would take quite a while, but it’s encouraging to see researchers trying to find solutions to one of the thornier security problems users have.