Google's Authentication Research
Google is working on non-password authentication techniques.
But for Google’s password-liberation plan to really take off, they’re going to need other websites to play ball. “Others have tried similar approaches but achieved little success in the consumer world,” they write. “Although we recognize that our initiative will likewise remain speculative until we’ve proven large scale acceptance, we’re eager to test it with other websites.”
So they’ve developed a (as yet unnamed) protocol for device-based authentication that they say is independent of Google, requires no special software to work—aside from a web browser that supports the login standard—and which prevents web sites from using this technology to track users.
The great thing about Google’s approach is that it circumvents the really common attack that even Google’s existing mobile-phone authentication system can’t prevent: phishing.
They have enough industry muscle that they might pull it off.
Another article.
B. Johnson • January 22, 2013 12:42 PM
I’m a little skeptical of the idea. Only requiring a password for major account changes and relying on a physical token for standard access seems to me like the reverse of what it should be. The fact that you could unknowingly lose (or have stolen) the token for any length of time before noticing means that someone could wreak havoc in the mean time. With a password as the “first line” you know that nobody would ever be able to get that without you knowing (i.e. telling them).
Realistically I think that password + challenge-and-answer token would be the way to go, especially since that the people that are screwing up passwords out of ignorance or laziness are going to screw up anything else for the same reasons.
“..a common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools.”