Appearing no bigger than your typical thumb drive, it’s called a YubiKey. The device, a cryptographic card, was developed by start-up company Yubico. To use the fob, one simply slides it into a computer’s USB port. In the pilot project, all it took to log into Google with the fob in place was a click of the mouse. In a paper written for IEEE Security and Privacy Magazine, Google Vice President of Security Eric Grosse and Google engineer Mayank Upadhyay discussed this as one of the possible options for logging into websites in the future.
As with any potential new standard, it’s a question of getting other organizations to use it. To get the security fob to work, the Google engineers needed to modify Chrome, Google’s web browser. But it sounds like it was a simple modification, as no software is downloaded. The fob automatically uses encrypted one-time passwords. It can potentially be built into a finger ring or a smartphone. The idea behind this approach is that you authenticate one device, and then use that as the electronic key to get to all of your digital life.
It’s not exactly a perfect solution. As Wired notes in reporting on the story, “That means that if someone steals your card or your smart-ring, you’d better report it stolen pretty quickly.” At least for now, though, that may be a moot point, until enough websites – and browsers – sign on to support such a system. To that end, Google says that it has developed a protocol for device-based authentication. It claims that it is independent of the company and calls for no special software to get it working (other than a browser that supports the protocol). Furthermore, the protocol “prevents web sites from using this technology to track users,” notes Wired.
Will this system completely eliminate those annoying passwords that nobody can remember? Probably not – but maybe they can be simpler, with the security fob becoming the primary means of authentication. Grosse thinks that “We’ll have to have some form of screen unlock, maybe passwords but maybe something else, but the primary authenticator will be a token like this or some equivalent piece of hardware.”
While a new security solution seems long overdue, it will still have to answer those age-old questions: how can we secure our data so that only those with permission to work with it can get to it? How can we prevent those who shouldn’t have access to that information from getting to it – or somehow getting the means to get to it? Nothing is totally foolproof, but it will be interesting to see if Google gets any takers – and how well, in practice, this device compares with passwords for keeping personal information secure.