A neon Google logo is seen as employees work at the new Google office in Toronto, November 13, 2012. Reuters/Mark Blinch
The paper, set to be published in the IEEE Security & Privacy Magazine later in January but already seen
by Wired Magazine, puts forward a very strong argument for the abolition of traditional internet passwords in favor of a physical token such as a ‘smart ring' or a card that connects to the computer via the USB slot.
"Along with many in the industry, we feel passwords and simple bearer tokens such as cookies are no longer sufficient to keep users safe," write Google's Eric Grosse and Mayank Upadhyay in the paper. "We'd like your smartphone or smartcard-embedded finger ring to authorize a new computer via a tap on the computer, even in situations in which your phone might be without cellular connectivity," they continue.
The paper highlights the difficulty users have in creating and remembering strong and unique passwords for each of their online services and also shows the progress Google has already made in adopting its own services to work with a YubiKey -- a small cryptographic card -- which, when connected to a computer's USB port, automatically logs the user into Google.
Barely a week goes by without a report of a high profile website or web service -- from Google Mail to Yahoo to Sony -- being hacked and account details being compromised. In August a single Drop Box employee's account was hacked and the attackers obtained a list of users' email addresses. In June last year, hackers stole 6 million LinkedIn passwords and posted them to a Russian site to crowdsource the key to their encryption.
At the same time the threat of malware and phishing attacks has never been greater. Use of a physical token for identification would cancel out all of these threats, and if any company has the power and influence to change the way users are authenticated on the web, it is Google.