Google looks to kill the password using tiny cryptographic card

Discussion in 'privacy technology' started by lotuseclat79, Jan 19, 2013.

Thread Status:
Not open for further replies.
  1. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,096
  2. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
  3. EncryptedBytes

    EncryptedBytes Registered Member

    Joined:
    Feb 20, 2011
    Posts:
    449
    Location:
    N/A
    Passwords will be with us for a long time to come, I do not see them going anywhere anytime soon, one reasoning being user adaptation, and another ease of implementation/cost for online services. I do appreciate Google researching potential new ways of authentication for the masses as this is something that has received many a debate in the security industry for over twenty years. Not implying progress hasn’t been made in those years, as some interesting proposals come out every year within the focus of password management software, federated login protocols, graphical password schemes, cognitive authentication schemes, one-time passwords, hardware tokens, phone-aided schemes and biometrics. However as is the case with those fields of research, how this token would be implemented would come with its own set of risks as well, as I’ve seen working in this industry not only does no known scheme come close to providing all desired benefits; none even retain the full set of benefits that legacy passwords already provide.

    FTA:
    While this quote does hold truth, the primary causes for many of the data-breaches over the past couple years has not been the end users and weak passwords or password reuse, but inefficient or insecure storage controls housing the password data itself. Remember you can have the most entropic password known to man, or an encrypted token housing a 15360 bit RSA key pair or a 521 bit ECC key pair and all that will be for naught if they are stored and implemented incorrectly.

    Another point, most organizations, even Google need to implement alternate ways of authentication in the event of a lost password or token. These negate the whole control and open up other avenues of risk, though users would never accept the security otherwise and opt for less secure means to get to their data if these alternate means to get to the cookie jar were not present.

    - Just my two cents
     
Loading...
Thread Status:
Not open for further replies.