Two Google engineers have brought up the idea of creating cryptographic rings to help users securely log into websites and other services.Eric Grosse and Mayank Upadhyay, both Google bods have submitted the paper Authentication at Scale to the IEEE Security & Privacy Magazine for review.
The core point of the submission is that weak passwords are a bigger threat to online security than malware infection, hacker attacks, and other cyber espionage programs. This makes authentication a bigger issue, which can be overcome by a combination of risk-based checks, second-factor options, privacy-enhanced client certificates, and different forms of delegation.
This is not the Google’s first attempt to enhance authentication process for the online users, as it introduced a two-stage login process for its Gmail website two years ago. This optional two-factor verification adds an extra layer of security to Google accounts by linking them to a registered mobile phone number. Taking its efforts to the next level, the search and ad giant is now experimenting with Yubico cryptographic USB cards that generate one-time passcodes (OTP) for logging into websites. The YubiKey will combine a unique public ID number with a series of bytes generated on the fly to produce a one-time code which when used with an account username and password, will log the user into the service for that one particular session. This will add an extra layer of security for the users.
Interestingly, this Yubikey is supposed to be in the form of a finger ring that users will tap with their machines to authenticate themselves.
“We’d like your smartphone or smartcard-embedded finger ring to authorize a new computer via a tap on the computer, even in situations in which your phone might be without cellular connectivity,” Grosse and Upadhyay wrote.
“Others have tried similar approaches but achieved little success in the consumer world. Although we recognize that our initiative will likewise remain speculative until we’ve proven large scale acceptance, we’re eager to test it with other websites.”
This proposed finger gadget by Google actually sounds like a signet ring–a ring used by nobles during the Middle Ages to authenticate their identity on documents. The ring would be worn by the noble (the so-called account owner) who holds the family crest or seal. Dipped in hot wax, it would produce a “seal” or signature proving it was they (or perhaps someone else who’d stolen the ring.)
“We might even see Google call this project ‘Signet’ in honor of this practice,” says Kyt Dotson, HackANGLE editor. “Pure speculation right now, but the additional factor of a worn-dongle using NFC or Bluetooth to procure extra authentication could be used for people interested in more security on the ‘something you have’ front. Already keychain fob authenticators are common for MMORPG games such as World of Warcraft, it would be no surprise if Google got on a similar bandwagon with their services (although for a fee.)”