While I agree that passwords may be deemed unsafe and insufficient today, but in my opinion a physical device kept on your person is not the way to solve the issue. If you misplace your USB device or 'pass key ring' anyone who picks it up may have access to every online account you own. Bad idea.
Thoughts?
>If you misplace your USB device or 'pass key ring' anyone who picks it up may have access to every online account you own. No, you'd still need a password AND the device. It wouldn't be just the device. This is why companies issue their employees RSA tokens. You still need a username and a password (something you KNOW), and then you use the random number on the token (something you HAVE). If someone picked up your physical form of security, your token for instance, they would have no idea what account it belongs to, your username, your password, or your PIN. It would be useless to them. Companies already do this and it's extremely safe and effective. If I lost my RSA token for work, no one would have any clue what was for, how to connect to my network, where I work, and even if they figured that out they'd still need my username/password/pin to go with it. It's not a bad idea in my opinion. It's actually in better accordance with the CISSP security standards. There are three forms of security auth. "Something you KNOW", like a username and password. "Something you HAVE", like a physical RSA token. And "Something you ARE", like a biometric fingerprint reader or voice authorization. Using only one form of that is weak, but combining two forms of security makes authorization that much harder to fake or spoof. Combining two is what Google is thinking about doing. That's a good thing and much more secure. The article didn't really explain that part, and does kind of imply passwords wouldn't be needed anymore, but I don't think that's right and the article kind of left that out.
The wired article they link to has a better explanation as to what the google concept is. It really amounts to getting rid of the password "except is special cases". So, not quite replacing the password, but it most certainly seems like they want to take a lot of password typing away. Taking the Wired article as the basis for my response, I can say I don't think this is a good idea. As AlderaanDuran explained, just passwords is weak and just a device is also weak. So, a combination of both would be best in my opinion. On top of that, I don't want to get a Google device to log in to my accounts. This needs to be an open standard which can be implemented by other organizations like Mozilla, the EFF or even Apple if people are OK with that.
I hope this is underway. The best chance of an open standard being popularized, is if it is the first available.This needs to be an open standard which can be implemented by other organizations like Mozilla, the EFF or even Apple if people are OK with that.
Ahhh, if that's the case I was mistaken. Anytime a company talks about adding a token type physical device I assume it's in addition to. the article linked didn't go into details, so perhaps I assumed. Perhaps they are trying to replace passwords entirely, which is indeed kind of a bad idea. It's just swapping one form of security for another, not combining two which would make it stronger. If you are correct, I am not a fan of this either.
I think a lot of online banking in other countries use something similar. In China you need a USB and password to log on. In Netherlands for some banks, you need this device to insert your Mastercard in, enter your pin number on the device, and then you can log on to online banking. It's actually a little annoying. I wouldn't mind the goggle device, so long as they are standardized so I won't have to carry 1000 physical devices.