"... Want an easier way to log into your Gmail account? How about a quick tap on your computer with the ring on your finger?
This may be closer than you think. Googles security team outlines this sort of ring-finger authentication in a new research paper, set to be published late this month in the engineering journal IEEE Security & Privacy Magazine. In it, Google Vice President of Security Eric Grosse and Engineer Mayank Upadhyay outline all sorts of ways they think people could wind up logging into websites in the future and its about time..."
The "problem" being primarily one of companies not protecting passwords and accounts of customers (from hackers) every bit as much as users not picking good, long passwords that are hard to crack (because they're long--oh, you mean the system only allows 12 characters max? [oops]) and easy to remember. (Sure hope no one steals my ring... or my ring finger... with the ring still on it... )
The biggest single problem with a log on/password was when online companies shifted to requiring or using your Email address as a log on. Once a big company is compromised the thieves can then just try that email/password combination at all the other major sites. I, like many other people I know use the same password and a different log on depending on what site we are using. I have a different user name for gaming and a different user name for banking and yet another different user name for online shopping. That extra layer of protection of being able to use a different user name at different sites was nullified when companies moved to using/requiring email addresses as a log on.
Strange. I read about this elsewhere and came away with a different aspect of it. The biggest was Google is not declaring war on the password, just looking at other methods.
I don't think the password is going away anytime soon.
You didn't read the article, did you? The actual article is about using hardware tokens for authentication, and just used 'a figure ring' as an example of how one might conveniently carry such a thing - more conveniently than, I suppose, today's key-ring-sized RSA tokens.
"... Want an easier way to log into your Gmail account? How about a quick tap on your computer with the ring on your finger?
This may be closer than you think. Googles security team outlines this sort of ring-finger authentication in a new research paper, set to be published late this month in the engineering journal IEEE Security & Privacy Magazine. In it, Google Vice President of Security Eric Grosse and Engineer Mayank Upadhyay outline all sorts of ways they think people could wind up logging into websites in the future and its about time..."
Interesting. I was watching once upon a time last night. They needed to access a cell phone, but didn't have a pass word. So they used the guy's key fob and put it near the phone to unlock it.
The only problem I have with such a method, is what happens if you leave it on the shelf by the sink, or it falls off the key ring, etc?
You'd think a thumb print, retina scan would be the way to go, as you can't leave them behind.
You'd think a thumb print, retina scan would be the way to go, as you can't leave them behind.
Actually, you leave thumb prints behind you every time you touch anything with your thumb (and anyone with access to the "protected" device has access to your thumb print too). I recently demonstrated that principle to someone who was in love with the finger print scanner on their notebook.
I won't go into the gory details of how a retina scanner can be compromized.
Why to stop with a ring on your finger? As some have already mentioned here, you can loose it or forget to wear, when you need it. Why not to put it under the skin as an RFID tag. Then all of those problems are gone... (for a guy, who thinks the half of the glass is full in this case). Or may be that's the plan behind this Google project?
Why not to put it under the skin as an RFID tag. Then all of those problems are gone... (for a guy, who thinks the half of the glass is full in this case). Or may be that's the plan behind this Google project?
I think this day is soon approaching where everything will require an RFID reading. Just look at this Texas school district.
Why not to put it under the skin as an RFID tag. Then all of those problems are gone... (for a guy, who thinks the half of the glass is full in this case). Or may be that's the plan behind this Google project?
I think this day is soon approaching where everything will require an RFID reading. Just look at this Texas school district.
I hope to be long gone by then. The idea of all things read by chips makes me ill.
Does no-one in the security forum except me actually use a hardware logon token for anything? There seems to be a lot of resistance to having any physical thing that helps logon security.
For the record, the problems with the current hardware logon-token approaches are:
1. As far as I know, it's site-specific [my RSA token has to be known to the web site in question], so isn't going to scale
2. I have to copy the digits from the token to the password-entry form: but this is fixable by having a token with a USB interface
3. It doesn't eliminate passwords, and nor should it (for the same reasons that having an ATM card doesn't eliminate PINs). But it does reduce required password complexity.
I don't see that the Wired article is suggesting much more than using the same sort of approach but making it more ubiquitous. And smaller.
Since it's actual money involved with the web site in question, I'm glad of the incremental protection of the token on top of the password.
For the record, I've never lost it, forgotten it, or suffered more inconvenience than having left the token in my coat downstairs when I'm upstairs.
The technology question we perhaps ought to consider here is: how secure is it to rely on a single authentication service?
You know, I proposed just this to my best friend, because I think privacy is all but gone anyway and I told her I was willing to give up my last shred of it for convenience. I'm only half kidding. I might actually sign up for it. No more passwords, so intriguing to me.
Of course it makes her insanely angry at me, and she tells me what an idiot I am. She's not really kidding either. She thinks the idea is awful.
You know, I proposed just this to my best friend, because I think privacy is all but gone anyway and I told her I was willing to give up my last shred of it for convenience. I'm only half kidding. I might actually sign up for it. No more passwords, so intriguing to me.
Of course it makes her insanely angry at me, and she tells me what an idiot I am. She's not really kidding either. She thinks the idea is awful.
Good to hear from a guy, who thinks about it as the glass half full. Now, look from the the glass is half empty perspective. I may have hundreds of those tags and none of those are under my skin. Moreover all of them could be easily reprogrammed to copy your ID, as well as anyone I want... How does that sound now? Is it secure? Is it convenient? Or is it worth to do at all???
Listen to your g/f. You may learn something from her
BTW, the more often you repeat to yourself "I think privacy is all but gone anyway", the more it becomes true. That's why I do not do that.
You didn't read the article, did you? The actual article is about using hardware tokens for authentication, and just used 'a figure ring' as an example of how one might conveniently carry such a thing - more conveniently than, I suppose, today's key-ring-sized RSA tokens.
I read the article, all right. But since you don't appreciate (lame but pointed) humor, I'm not about to start carrying around hardware tokens for specific sites "for security" or anything else. It's clutter, it's junk, and it's not automatically secure. That's just the sales pitch.
Well, the best security systems involve a challenge based on (1) something you have (or are) and (2) something you know. The first could be a device or something else to--supposedly--"prove" who you are (retina scan, fingerprint reader ..."ring"?). Of course, the second could still be a password (or PIN). (However, would this actually make your accounts et al "hack-proof"?)
(At least, if the first were in use here, then one might not jump to the conclusion that someone "unavailable" is a "guy"? )
I'm not about to start carrying around hardware tokens for specific sites "for security" or anything else. It's clutter, it's junk, and it's not automatically secure. That's just the sales pitch.