M
Metspitzer
Google is researching a way to kill the password, this time with a
magic ring.
No, it isn’t a weird metaphorical movie plot. The idea is to use a
trinket that plugs into the USB slot on a computer and authenticates
the user.
At the RSA Security conference in San Francisco, Mayank Upadhyay, a
principal engineer at Google who specializes in security, said the
experience of logging on to a computer or website should be as simple
as using an ATM machine, which is why the company is looking into the
USB technology as an alternative to passwords.
New Google Glass Video Gives Glimpse of the Future
Overall, passwords don’t work well for many people. That’s because
people either have too many and need to write them down — violating
rule number one of password security — or they have one that they use
in several places, increasing their security risk.
Carrying a token could make authentication easier, because a person
wouldn’t have to remember all those passwords.
Google’s prototype is a USB drive mounted on a ring or other small
piece of jewelry that uses a piece of digital information knows as a
cryptographic key. It’s a bit of software that serves as the encoding
and decoding method for secret communications. Cryptographic keys used
in computer systems are based on complicated mathematical algorithms,
but their purpose is simple: encode a message so that it’s unreadable
to anyone else but the intended recipient and read a coded message
that’s meant only for you.
Here’s how it would work. Let’s say you want to access your checking
account information from your bank’s website. First, you must register
your cryptographic key with the bank. That would involve inserting the
USB drive into your computer, logging onto the bank’s website and
walking through a couple of authentication prompts, similar to how
creating a new account works already.
During this process, two software keys get generated: one public and
one private. The public key gets sent to the bank’s website for use
later. The other remains stored on the USB drive.
Later, if you want to transfer money from your checking account to
your savings, you visit the website with your USB key inserted in your
computer. At the bank’s website, a login screen would pop up, but
instead of entering your username and password, you would click a
button that said “authenticate” — or even skip that step altogether.
The bank uses the public crytopgraphic key created during registration
to encode a message that it sends to your USB drive. That message is a
mathematical “challenge” that can only be solved by the private key
stored on your USB drive.
This kind of public-private key encryption is common; it relies on the
fact that some mathematical operations are hard to reverse. For
instance, multiplying 3 and 18 is easy to do, but factoring out the
result — 54 — into the smallest possible prime numbers (1, 3, 3, 3,
and 2) is harder, because you have to do more mathematical steps.
Encrypting a message with the public key is like multiplying the two
numbers, and the decryption process is like factoring the result and
looking for two specific numbers. If you want to decode the message
without the key, you don’t know if the numbers you want are 2 and 3, 3
and 3, or 1 and 3, or possibly some other combination like 6 and 9.
That’s what makes this kind of cryptography work so well — a big
number has billions of possible combinations of factors.
Because a user is not typing in a password, she is safe from hackers
who may be using software that records keystrokes to steal her login
information. And a cryptographic key also deals with “man in the
middle” hacks, which involve someone monitoring the digital
communications between a user and a website and stealing that
information to be used later.
Your Brain Is Your Password
A magic ring certainly deals with the problem of password hacks, but
it doesn’t necessarily address what happens if the user loses the USB
drive. Of what happen if an unscrupulous person got a hold of the
ring, he’d most likely be able to access secured websites, assuming he
had enough information such as the user’s name. On the bright side, in
this sense it is similar to losing your house or car keys — if someone
finds your house keys, they can’t break into your home without knowing
the address.
It does offer some neat ideas for a modern take on the “Lord of the
Rings” movie, though. Would it involve a quest to drop a USB ring into
an incinerator?
http://news.discovery.com/tech/gear...asswords-magic-ring-130314.htm#mkcpgn=rssnws1
Instead of having a USB ring, many could just use their cellphone.
magic ring.
No, it isn’t a weird metaphorical movie plot. The idea is to use a
trinket that plugs into the USB slot on a computer and authenticates
the user.
At the RSA Security conference in San Francisco, Mayank Upadhyay, a
principal engineer at Google who specializes in security, said the
experience of logging on to a computer or website should be as simple
as using an ATM machine, which is why the company is looking into the
USB technology as an alternative to passwords.
New Google Glass Video Gives Glimpse of the Future
Overall, passwords don’t work well for many people. That’s because
people either have too many and need to write them down — violating
rule number one of password security — or they have one that they use
in several places, increasing their security risk.
Carrying a token could make authentication easier, because a person
wouldn’t have to remember all those passwords.
Google’s prototype is a USB drive mounted on a ring or other small
piece of jewelry that uses a piece of digital information knows as a
cryptographic key. It’s a bit of software that serves as the encoding
and decoding method for secret communications. Cryptographic keys used
in computer systems are based on complicated mathematical algorithms,
but their purpose is simple: encode a message so that it’s unreadable
to anyone else but the intended recipient and read a coded message
that’s meant only for you.
Here’s how it would work. Let’s say you want to access your checking
account information from your bank’s website. First, you must register
your cryptographic key with the bank. That would involve inserting the
USB drive into your computer, logging onto the bank’s website and
walking through a couple of authentication prompts, similar to how
creating a new account works already.
During this process, two software keys get generated: one public and
one private. The public key gets sent to the bank’s website for use
later. The other remains stored on the USB drive.
Later, if you want to transfer money from your checking account to
your savings, you visit the website with your USB key inserted in your
computer. At the bank’s website, a login screen would pop up, but
instead of entering your username and password, you would click a
button that said “authenticate” — or even skip that step altogether.
The bank uses the public crytopgraphic key created during registration
to encode a message that it sends to your USB drive. That message is a
mathematical “challenge” that can only be solved by the private key
stored on your USB drive.
This kind of public-private key encryption is common; it relies on the
fact that some mathematical operations are hard to reverse. For
instance, multiplying 3 and 18 is easy to do, but factoring out the
result — 54 — into the smallest possible prime numbers (1, 3, 3, 3,
and 2) is harder, because you have to do more mathematical steps.
Encrypting a message with the public key is like multiplying the two
numbers, and the decryption process is like factoring the result and
looking for two specific numbers. If you want to decode the message
without the key, you don’t know if the numbers you want are 2 and 3, 3
and 3, or 1 and 3, or possibly some other combination like 6 and 9.
That’s what makes this kind of cryptography work so well — a big
number has billions of possible combinations of factors.
Because a user is not typing in a password, she is safe from hackers
who may be using software that records keystrokes to steal her login
information. And a cryptographic key also deals with “man in the
middle” hacks, which involve someone monitoring the digital
communications between a user and a website and stealing that
information to be used later.
Your Brain Is Your Password
A magic ring certainly deals with the problem of password hacks, but
it doesn’t necessarily address what happens if the user loses the USB
drive. Of what happen if an unscrupulous person got a hold of the
ring, he’d most likely be able to access secured websites, assuming he
had enough information such as the user’s name. On the bright side, in
this sense it is similar to losing your house or car keys — if someone
finds your house keys, they can’t break into your home without knowing
the address.
It does offer some neat ideas for a modern take on the “Lord of the
Rings” movie, though. Would it involve a quest to drop a USB ring into
an incinerator?
http://news.discovery.com/tech/gear...asswords-magic-ring-130314.htm#mkcpgn=rssnws1
Instead of having a USB ring, many could just use their cellphone.
