Google's 'Magic Ring' Could Kill the Password


M

Metspitzer

Google is researching a way to kill the password, this time with a
magic ring.

No, it isn’t a weird metaphorical movie plot. The idea is to use a
trinket that plugs into the USB slot on a computer and authenticates
the user.

At the RSA Security conference in San Francisco, Mayank Upadhyay, a
principal engineer at Google who specializes in security, said the
experience of logging on to a computer or website should be as simple
as using an ATM machine, which is why the company is looking into the
USB technology as an alternative to passwords.

New Google Glass Video Gives Glimpse of the Future

Overall, passwords don’t work well for many people. That’s because
people either have too many and need to write them down — violating
rule number one of password security — or they have one that they use
in several places, increasing their security risk.

Carrying a token could make authentication easier, because a person
wouldn’t have to remember all those passwords.

Google’s prototype is a USB drive mounted on a ring or other small
piece of jewelry that uses a piece of digital information knows as a
cryptographic key. It’s a bit of software that serves as the encoding
and decoding method for secret communications. Cryptographic keys used
in computer systems are based on complicated mathematical algorithms,
but their purpose is simple: encode a message so that it’s unreadable
to anyone else but the intended recipient and read a coded message
that’s meant only for you.

Here’s how it would work. Let’s say you want to access your checking
account information from your bank’s website. First, you must register
your cryptographic key with the bank. That would involve inserting the
USB drive into your computer, logging onto the bank’s website and
walking through a couple of authentication prompts, similar to how
creating a new account works already.

During this process, two software keys get generated: one public and
one private. The public key gets sent to the bank’s website for use
later. The other remains stored on the USB drive.

Later, if you want to transfer money from your checking account to
your savings, you visit the website with your USB key inserted in your
computer. At the bank’s website, a login screen would pop up, but
instead of entering your username and password, you would click a
button that said “authenticate” — or even skip that step altogether.
The bank uses the public crytopgraphic key created during registration
to encode a message that it sends to your USB drive. That message is a
mathematical “challenge” that can only be solved by the private key
stored on your USB drive.

This kind of public-private key encryption is common; it relies on the
fact that some mathematical operations are hard to reverse. For
instance, multiplying 3 and 18 is easy to do, but factoring out the
result — 54 — into the smallest possible prime numbers (1, 3, 3, 3,
and 2) is harder, because you have to do more mathematical steps.
Encrypting a message with the public key is like multiplying the two
numbers, and the decryption process is like factoring the result and
looking for two specific numbers. If you want to decode the message
without the key, you don’t know if the numbers you want are 2 and 3, 3
and 3, or 1 and 3, or possibly some other combination like 6 and 9.
That’s what makes this kind of cryptography work so well — a big
number has billions of possible combinations of factors.

Because a user is not typing in a password, she is safe from hackers
who may be using software that records keystrokes to steal her login
information. And a cryptographic key also deals with “man in the
middle” hacks, which involve someone monitoring the digital
communications between a user and a website and stealing that
information to be used later.

Your Brain Is Your Password

A magic ring certainly deals with the problem of password hacks, but
it doesn’t necessarily address what happens if the user loses the USB
drive. Of what happen if an unscrupulous person got a hold of the
ring, he’d most likely be able to access secured websites, assuming he
had enough information such as the user’s name. On the bright side, in
this sense it is similar to losing your house or car keys — if someone
finds your house keys, they can’t break into your home without knowing
the address.

It does offer some neat ideas for a modern take on the “Lord of the
Rings” movie, though. Would it involve a quest to drop a USB ring into
an incinerator?

http://news.discovery.com/tech/gear...asswords-magic-ring-130314.htm#mkcpgn=rssnws1

Instead of having a USB ring, many could just use their cellphone.
 
Ad

Advertisements

F

Flasherly

New Google Glass Video Gives Glimpse of the Future

I've about had it with GOOGLE.

I'll tell you what GOOGLE can have that's left over, though: 1) Since
I do know how to watch credit card transactions for suspicious,
malicious, or otherwise erroneous entities. 2) [While] wanting nothing
especially to do with the Internet and, specifically, banks as
physical entities and care/trust representatives of a personal state
of wealth;- nor do I want the FBI, particularly, having access/eminent
domain over my banking finances and records, all apart from the
Internet (in an unrelated national BILL presently under
consideration).

Perhaps that's not much, I'm so sorry, but GOOGLE's certainly welcome.
Maybe they'll invest a play ring, like a plastic concrete truck for
little boys to play with until they're old enough, someday to send one
to me, for when I'm ready to level the world from a $900/US 5x7"
mobile device.
 
Y

Yousuf Khan

At the RSA Security conference in San Francisco, Mayank Upadhyay, a
principal engineer at Google who specializes in security, said the
experience of logging on to a computer or website should be as simple
as using an ATM machine, which is why the company is looking into the
USB technology as an alternative to passwords.

As simple as using an ATM machine? A machine that requires a ...
password number? ;)

Yousuf Khan
 
R

RayLopez99

Google is researching a way to kill the password, this time with a

magic ring.

Another use for this is as a dongle for software authentication schemes. Eventually they'll get this right and issue dongles that constantly change numbers generated, not unlike better bank dongles do, and eliminate software piracy once and for all... :-(

RL
 
P

Paul

Metspitzer said:
Google is researching a way to kill the password, this time with a
magic ring.

A magic ring certainly deals with the problem of password hacks, but
it doesn’t necessarily address what happens if the user loses the USB
drive.

<<sound of crickets chirping>>

I'm working on a proposal for next year's RSA conference. It
will involve tattooing the password on your knuckles. For example,
this is my password. No one will ever guess this one.

http://www.computeractive.co.uk/IMG/627/199627/love-hate-knuckles-580x358.jpg?1319716385

Paul
 
R

Rob

Another use for this is as a dongle for software authentication schemes. Eventually they'll get this right and issue dongles that constantly change numbers generated, not unlike better bank dongles do, and eliminate software piracy once and for all... :-(

RL

There won't be any installable software to authenticate if they
get their way. Software will all be 'cloud apps' that you rent
and can only access via an internet connection. Yes, we can
all see situations where that will not work, but it will still
happen anyway. Oh yes: You'll also have to bring your own
device to work and use it for your job. And you'll have to
pay the internet connection charges for doing so from your wages.
The above is the true meaning of 'cloud computing'.
 
Ad

Advertisements

D

DK

As simple as using an ATM machine? A machine that requires a ...
password number? ;)

Muggers of the world will really be thanksful to Google.
Nothing beats the convenience of taking one's USB key to
empty one's bank account.
 
B

BW

Another use for this is as a dongle for software authentication schemes.  Eventually they'll get this right and issue dongles that constantly change numbers generated, not unlike better bank dongles do, and eliminate software piracy once and for all... :-(

RL

About 10 years I worked for a multinational company. To access their
private network from home, you needed a gizmo the size of a box of
matches that generated a new password each day. When somebody was
retrenched, this was the first item they seized from the outgoing
dumpee.
 
Ad

Advertisements


Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top