Google Declares War On the Password 480
An anonymous reader writes "Wired reports on a research paper from Google employees about the future of authentication on the web. 'Along with many in the industry, we feel passwords and simple bearer tokens such as cookies are no longer sufficient to keep users safe,' the authors write. Their plan involves authenticating just once, to a single device, and then using that to unlock all of your other accounts. "We'd like your smartphone or smartcard-embedded finger ring to authorize a new computer via a tap on the computer, even in situations in which your phone might be without cellular connectivity." Recognizing that this isn't something they can accomplish on their own, they've gone ahead and created a device-based authentication protocol that is 'independent of Google, requires no special software to work — aside from a web browser that supports the login standard — and which prevents web sites from using this technology to track users.'"
Re:Brilliant idea (Score:4, Informative)
So have the phone de-auth after a certain amount of time without you entering your credentials. You'd still only have to remember credentials to one device, and then *it* does all of the 'heavy lifting' of authenticating everywhere else.
Do not RTFA (Score:5, Informative)
Re:Brilliant idea (Score:5, Informative)
I use a password manager [keepass.info] to solve this problem. It stores all (or a large set of) my passwords in an encrypted database. I have one very strong password that lets me access the database. The passwords it stores are all strong (sometimes hard to remember) passwords that I do not have to store in my head.
I still have all of my eggs in one basket, but that basket is sealed in a solid iron box.
Re:Brilliant idea (Score:5, Informative)
It really is. I love their current implementation. It's actually security done right. I use Google Authenticator on my phone. If I login from an unknown computer, it asks me for a pass code also, which I just bring up on my phone. I only need to remember the password to my phone/tablet. It's easily the most seamless and secure two-factor authentication I've ever used, and I've used a lot of them....
I also use it as a token to access a couple of other sites. I believe that Apache has a module that can sync to Authenticator. It's great two-factor.
It also comes with a list of one time codes that I can carry around for when I don't have access to my phone or tablet.
It's like a permanent key/password manager for all of Google. It'd be great to turn it into my whole life. Much easier to just de-sync the Authenticator, then re-sync rather than blow away passwords for all sites, then re-create them for all sites if something gets compromised.
TL;DR I trust Google to do this right because they're already miles ahead of everyone else.
Re:Brilliant idea (Score:5, Informative)
There is a device called a "telephone" You pick up a "receiver", and "dial" a series of numbers associated with the person or company you are trying to communicate with.
Your cell phone has a similar series of numbers associated to it, with which your service provider can locate your EMEI code (which is much more useful for remote killing your phone than the SIM card). Additionally, they can burn the EMEI so that it can't be activated on other providers (at least in most of the world). If you do not know your telephone number, then they can find it with your name, your account number, and many other pieces of information you can give them. Most cell providers have an option in their IVR to report a lost or stolen phone, too, with after-hours emergency support.
Re:Brilliant idea (Score:5, Informative)
True, but if that password manager gets compromised by, say, Red October via capturing your keystrokes, everything is compromised for all sites until you take the time individually change each one,.
Currently, with Google Authenticator, I have it set up to authenticate me for a number of things, as if it gets compromised, simply telling it to re-sync again re-secures all of my credentials. Much, much better management. Single point control.
LastPass offers Google Authenticator security over the vault, which means even if they get the master password they still wouldn't be able to access my vault. This does, however, mean the vault is technically not under my complete control (since I don't store it locally, although I do keep a semi-regular back of it). But, the advantage is worth it in my opinion.
Common sense, FTW (Score:5, Informative)
Suppose you have a "smart" credit card in the form of one of those "credit card" calculators. Keypad + simple LCD display.
When you use the card, you type a pin/password on the card, which then generates a new single-use credit card number which attaches to your account, encrypts it with your personal key, and sends it off when the card is swiped.
If you lose your card, no one else has access since they don't have your PIN(*). No one can snoop the data since it's encrypted en-route. No one can copy your card since the information never leaves the card and anyway the number is single-use only.
Suppose this same card is in the form of a thumb drive. It identifies as a security token, and will encode and decode on request, but will not under any circumstance let the keys out. All calculations are done on the device, the code is fixed and cannot be changed, and requires a PIN once when the computer boots.
You don't have to worry about viruses or data leaks.
Since it is a thumb drive, you can add public keys with abandon. To do business with any company, you send them a token encoded with your private key and their public key, they send you information using their private key and your public key. The card will require the operator to enter the PIN to store a new corporate key (for convenience). All the public keys for your credit cards, store cards, bank access, &c are stored in one place.
Suppose the device is blue-tooth enabled. Now you don't need to hunt around for a USB port - you can enter your pin and hit "accept" when you want to make a purchase at a store - after the LCD display shows you the purchase price.
If you lose your device you get a new one. Go to the bank, show identification, get a new card with the bank's keys on it. If the bank keeps a backup of your stored corporate keys, they can download the keys along with your new private key at their secure site.
The important bit for all of this is a) the calculations are done on the device not an external computer, and b) storage for multiple corporate keys (visa, MC, Pennys, Wal-Mart, &c) in one device.
This has been obvious for years, it's just one of those cases where the entrenched monopoly has no incentive to fix the problem.
(*) Even assuming a thief can hack the physical card, it takes credit card theft away from "millions of cards were exposed by computer hack" to "lots of work required to hack a single card". And your bank will invalidate your old private key when the new card is issued.
Re:Brilliant idea (Score:2, Informative)
A time stream of data is distinguishable with something you are, since the data function f(t) is warped by your token. Look up stream ciphers and the like. These are not vulnerable to replay attacks.
I like stream ciphers for cell phone security.
Re:For the last time Google! (Score:3, Informative)
I really mean it: I don't want to have to login to the internet. You keep trying to get me to do it with Chrome, so I switched from that
You know it is literally one click and it won't bug you again, right?
Sometimes I want to surf anonymously.
And sometimes you want to authenticate yourself. Just don't authorize sites you don't trust to use your authentication, or enable private browsing mode.
Sometimes I don't want Site X and Site Y knowing that I'm the same person logging into both.
TFS mentions that Google's system makes this impossible.
Let's not even get into what happens if my phone gets stolen, and suddenly all my consolidated information is at some stranger's fingertips.
Just password protect the phone. That is the point - you have a single password for the phone that you don't use anywhere else. The unlocked phone is used for authentication, which is anonymous. The site doesn't get to track you with it, doesn't get your phone number, doesn't get access to your private data. That includes Google, as TFA makes clear.
Protips: read TFA before ranting and never go full retard.
Re:Brilliant idea (Score:5, Informative)
Re:Brilliant idea (Score:5, Informative)
I stopped using LastPass and switched to hiding keepass in SpiderOak when last year and someone downloaded LastPass' entire, albeit encrypted, password database. I was burned bad by that break in, because I had to sit there and changed dozens of passwords just in case. I migrated to keepass and generated very strong long random passwords for each website with it. I can't login to any sites now without it. I'd also recommend locking your keepass with a key file that you keep hidden elsewhere in addition to a password just in case your main password is stolen. Oh, and if you use webmail like gmail, make sure to use two-factor authentication that they provide to give some added security. It is far too easy to reset an account with very little knowledge of the person who owns the account, e.g. Wired's editor. I have a personal example of this myself, a coworker didn't know the password to a gmail account that we had set up for sending out continuous build integration emails (I.T. has lots of ports blocked and won't configure exchange for us) and we needed to reconfigure it. I simply guessed the location he had logged in at (he's in another country) but that didn't work, and then I tried his various known email addresses and one of them was accepted. Google gave me full access to the account, it was ridiculously easy. But, I digress. However, we still need at least a second part of the equation to protect a scheme like the one they're recommending. What they're offering is only one-factor and is just as poor if not more poor than using a password alone, it's only together that they're strongest.
Re:Brilliant idea (Score:5, Informative)
+1 for LastPass.
LastPass keeps an AES encrypted vault on my system, so I can use it when their vault is unreachable. AES is important as too many password "vaults" use undefined or obsolete and possibly vulnerable encryption. Works with Google Authenticator, too. Runs on Windows, MacOS, Linux and even my FreeBSD systems as well as iOS and Android. I'll admit that the mobile version is sub-optimal, but it does work. (A few apps don't allow a paste into the password field, so it won't work properly with them.)
Oh.It is commercial and not free for mobile devices. It is subscription based, costs about USD 1 a month for all mobile devices sharing a single vault and is paid annually. It is free for desktop devices. LastPass also owns XMarks, the multi-browser bookmark and history sync service that I also use.
I have no association with LastPass other than as a generally happy user.