The password system is broken. That seems to be one thing we all agree on. But we're stuck with passwords (or at best, passwords plus security tokens) until someone comes up with something better. Now Google has joined the quest for alternative validation solutions.
The problems with passwords are two-fold, at least. Passwords strong enough to resist high-speed brute force or dictionary attacks are far too complex for our everyday needs. Social engineering (maliciously requesting password re-sets) is getting easier as we place more information about ourselves online.
What could substitute for passwords? Biometrics, perhaps, although that looks like a costly, and potentially intrusive, solution. As we've seen, DARPA has been focused on behavioral profiling to authenticate identities. Google seems to be researching two possible measures:
- Modifying Google's web browser to work with Yubico keys.
- A smartcard embedded finger ring (one tap, and you're in).
My first reaction is that these approaches fall disappointingly short of the kind of cutting-edge research in which DARPA is engaged. After all, what else is a key or a finger ring but a security token? It's not clear what advantages these devices would have over traditional RSA SecurID, except ease of use. And ease of use can be a security disadvantage.
RSA, of course, promotes a "two factor" authentication system, relying on a password or pin number as well as a SecurID token. Even this approach presents multiple vulnerabilities. If the token is stolen, and the password is weak, the token offers no additional protection. Researchers have demonstrated the possibility of cracking the tokens through automated attacks. RSA itself suffered a hack attack.
Google, however, seems to anticipate abandoning passwords altogether and relying on devices alone. The obvious risk with this approach is straightforward theft of the device. Losing it would be inconvenient too. No longer could one simply ask for a password re-set: the device would need to be replaced.
How are these devices going to be sent to users? By mail? How would we identify the user requesting a device? Questions, questions.
Trustworthy authentication remains the grail of cybersecurity. We've reached the stage where we know that passwords are not the solution. Tokens are a useful supplement to passwords, but provide no complete answer. The token-only strategy Google is exploring seems regressive.
Authentication will eventually turn on some factor, unique to individuals, which can't be changed or stolen. Biometrics actually don't fit the bill, because the data representing your fingerprints or retinal scan must itself be kept on a database, and databases are by definition hackable. Behavioral interaction with the device being accessed evades that problem -- but how uniquely identifying is behavior, and can't it change?
The solution will come out of left field, and right now I'm betting nobody knows what it is.
— Kim Davis , Community Editor, Internet Evolution