Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Google Declares War On the Password

Soulskill posted about 2 years ago | from the united-nations-powerless-to-intervene dept.

Google 480

An anonymous reader writes "Wired reports on a research paper from Google employees about the future of authentication on the web. 'Along with many in the industry, we feel passwords and simple bearer tokens such as cookies are no longer sufficient to keep users safe,' the authors write. Their plan involves authenticating just once, to a single device, and then using that to unlock all of your other accounts. "We'd like your smartphone or smartcard-embedded finger ring to authorize a new computer via a tap on the computer, even in situations in which your phone might be without cellular connectivity." Recognizing that this isn't something they can accomplish on their own, they've gone ahead and created a device-based authentication protocol that is 'independent of Google, requires no special software to work — aside from a web browser that supports the login standard — and which prevents web sites from using this technology to track users.'"

Sorry! There are no comments related to the filter you selected.

Brilliant idea (5, Insightful)

0123456 (636235) | about 2 years ago | (#42627031)

Because I totally want anyone who steals my phone to be able to access every other site I use.

Re:Brilliant idea (5, Insightful)

Andrio (2580551) | about 2 years ago | (#42627069)

The best feature of the password is that it's in your head. You carry it around everywhere, and it can never be physically taken from you.

This proposed plan just makes cellphones that much more attractive to steal.

Re:Brilliant idea (5, Insightful)

Dexter Herbivore (1322345) | about 2 years ago | (#42627151)

The best feature of the password is that it's in your head. You carry it around everywhere, and it can never be physically taken from you. This proposed plan just makes cellphones that much more attractive to steal.

The WORST feature of the password is that it's in your head. I have 20+ login passwords between work and home, my security is lower because you have to simplify them to remember them. If we can find a way to escape the tyranny of passwords that can generally be cracked by anyone who's determined anyway it can only be progress. Not that I have any faith in any organisation to do it after many failed or barely passable attempts (biometrics, smart cards etc).

Re:Brilliant idea (5, Informative)

terrab0t (559047) | about 2 years ago | (#42627363)

I use a password manager [keepass.info] to solve this problem. It stores all (or a large set of) my passwords in an encrypted database. I have one very strong password that lets me access the database. The passwords it stores are all strong (sometimes hard to remember) passwords that I do not have to store in my head.

I still have all of my eggs in one basket, but that basket is sealed in a solid iron box.

Re:Brilliant idea (5, Insightful)

kaiser423 (828989) | about 2 years ago | (#42627489)

True, but if that password manager gets compromised by, say, Red October via capturing your keystrokes, everything is compromised for all sites until you take the time individually change each one,.

Currently, with Google Authenticator, I have it set up to authenticate me for a number of things, as if it gets compromised, simply telling it to re-sync again re-secures all of my credentials. Much, much better management. Single point control.

Re:Brilliant idea (2)

caknuckle (2521404) | about 2 years ago | (#42627397)

I have 20+ login passwords between work and home, my security is lower because you have to simplify them to remember them

Have you tried using LastPass? You only have to remember 1 secure password (as complex as you want it to be) and LastPass remembers the rest for you. It also significantly reduces time logging into sites by filling the logins for you. I use this every day and don't want to remember what life was like without it.

Re:Brilliant idea (3, Interesting)

h4rr4r (612664) | about 2 years ago | (#42627481)

You have to simplify them?

Use sentences. Easy to remember and very strong due to length.

Re:Brilliant idea (0)

pixelpusher220 (529617) | about 2 years ago | (#42627523)

The best thing about A password is it's in your head.

That's also the worst thing about MULTIPLE passwords. But in the head only is a very secure concept.

Re:Brilliant idea (2)

ElectricTurtle (1171201) | about 2 years ago | (#42627531)

I just use a mental algorithm to generate passwords based on time and thing. That way I can have new passwords at will that are consistent with a standard that only I know (and no, it's not just simple +1 number stepping). The only time I have problems is when my system is too long, like with classic VNC...

Re:Brilliant idea (2, Interesting)

bgarcia (33222) | about 2 years ago | (#42627207)

The worst feature of a password is that it can be obtained from you from someone located anywhere in the world, and you wouldn't necessarily realize it. Fishing websites and social engineering make passwords by themselves too easy to get around.

You would still have a screen lock on your phone to prevent someone from using it to authenticate into all of your other accounts.

Has Google become EVIL? (2, Interesting)

Anonymous Coward | about 2 years ago | (#42627313)

Does Google want one authentication for everything, so that easier to identify everyone?

Or, is the idea just some out-of-control childish thinkers at Google?

Re:Has Google become EVIL? (1)

0123456 (636235) | about 2 years ago | (#42627521)

Does Google want one authentication for everything, so that easier to identify everyone?

That was my assumption. Like Microsoft before them, they want to become the One Authentication System To Rule Them All.

Because it certainly doesn't make sense if you actually care about security.

Re:Brilliant idea (5, Interesting)

dkleinsc (563838) | about 2 years ago | (#42627355)

As you hint, passwords are both necessary and insufficient for real security. For anything important, you really ought to have 2/3 of the ID triangle: something you know (like a password), something you have (like an RSA token), or something you are (like fingerprints).

Re:Brilliant idea (5, Interesting)

SirGarlon (845873) | about 2 years ago | (#42627525)

From the point of view of a digital stream of data, something you have is indistinguishable from something you are. (Fingerprint scanners are vulnerable to replay attacks.)

Re:Brilliant idea (1)

Anonymous Coward | about 2 years ago | (#42627075)

Because I totally want anyone who steals my phone to be able to access every other site I use.

More like it's an RSA Token where you use the 6 digits the phone autogenerates + your password. It's double the authentication...

Re:Brilliant idea (4, Informative)

aahzmandius (52806) | about 2 years ago | (#42627093)

So have the phone de-auth after a certain amount of time without you entering your credentials. You'd still only have to remember credentials to one device, and then *it* does all of the 'heavy lifting' of authenticating everywhere else.

Re:Brilliant idea (0)

alen (225700) | about 2 years ago | (#42627105)

and why go through all this effort when you can just use a password?

Re:Brilliant idea (2)

robmv (855035) | about 2 years ago | (#42627211)

Oh yea, everybody use the same password on all website you use, We know it is the best practice for security!!!!!

Re:Brilliant idea (2)

Dcnjoe60 (682885) | about 2 years ago | (#42627403)

Oh yea, everybody use the same password on all website you use, We know it is the best practice for security!!!!!

I think his point was that if your phone or other device gives you access to all of your sites, then the single password on your phone is the same as using the same password on all your sites. Basically, hack the phone algorithm and you now have access to everything the person does.

Re:Brilliant idea (0)

Anonymous Coward | about 2 years ago | (#42627503)

Because the password unlocks the phone, not those sites; it's still 2-factor authentication. The phone is something you have and the password to that phone is something you know. Also, something you have authentication is much, much harder to fake without the owner being aware.

Re:Brilliant idea (0)

Anonymous Coward | about 2 years ago | (#42627277)

and why go through all this effort when you can just use a password?

Because human memory sucks, and password managers aren't much better. Sure the average person can remember one or two passwords, but what about 10, 50, 100, 500, etc.?

Re:Brilliant idea (0)

Abstrackt (609015) | about 2 years ago | (#42627353)

Just generate them algorithmically. For example, your base password could be 12345 and you would just append the name of the site to it. Slashdot’s password would become 12345slashdot, your email password would become 12345email, etc. As long as you don't share your base password or the particulars of your algorithm there’s much less to remember and you benefit from having unique passwords across all the sites you visit.

Re:Brilliant idea (3, Insightful)

Anonymous Coward | about 2 years ago | (#42627407)

That doesn't work. If someone compromises your slashdot password (e.g., hacks slashdot or phishes you for it) and sees it's "12345slashdot", it's a fair guess that "12345email" is your email password.

Re:Brilliant idea (1)

yincrash (854885) | about 2 years ago | (#42627431)

the biggest problem with this is when your algorithm won't fit the password requirements of one particular site. then you have to memorize that this one site has a specific password requirement which requires a different password than the algorithm normally generates, and often these sites don't advertise their password requirements when you login so you end up locking your account after too many password attempts.

Re:Brilliant idea (1)

Anonymous Coward | about 2 years ago | (#42627097)

Because I totally want anyone who steals my phone to be able to access every other site I use.

Just protect your phone with a password.

Re:Brilliant idea (2)

Farmer Pete (1350093) | about 2 years ago | (#42627145)

Your phone would be protected with a password silly! Oh wait, this seems like it would add complexity, and probably add passwords. It would also require all sites to majorly overhaul their authentication protocols. I'm guessing this is about as likely as happening as all websites accepting a fingerprint in raw form as a password.

Re:Brilliant idea (1)

realityimpaired (1668397) | about 2 years ago | (#42627451)

Having a password manager which can automatically fill in your passwords, and which is protected by a fingerprint, is quite doable with modern hardware, however. Many laptops now have fingerprint readers built into them, and USB devices are readily available.

In fact, software like that already exists... it's one of the options in the fingerprint software on my mother's laptop.

Re:Brilliant idea (1)

AmiMoJo (196126) | about 2 years ago | (#42627491)

Fingerprints are a bad idea because they can't be revoked (well, okay, maybe they can 9 times, but then you are SOL unless you want to authenticate with a toe). A smartphone with a password, or better yet a ring like the describe, seems like a reasonable option and can easily be revoked.

The same thing applies to your wallet and credit cards. A pain if you lose them and you need to act quickly to stop them being abused, but it is a reasonable trade off between convenience and security.

Re:Brilliant idea (1)

blueg3 (192743) | about 2 years ago | (#42627529)

...websites accepting a fingerprint in raw form as a password

How would that even work? Put your finger on an ink pad, press it to a piece of paper, and mail it to them? Because otherwise it's not in its "raw" form.

Re:Brilliant idea (0)

Anonymous Coward | about 2 years ago | (#42627157)

Perhaps they could add an additional security measure on top of it.

Re:Brilliant idea (0)

Anonymous Coward | about 2 years ago | (#42627159)

Generally the way these systems work the thief would have to unlock your key/cert before it could be used. At the worst they may be able to access your sites until the next time your phone runs out of battery. Any phone thief worth their weight will take the battery out of your phone after it's stolen...you know all that pesky GPS locating software.

Remember my password ... (2)

perpenso (1613749) | about 2 years ago | (#42627175)

Because I totally want anyone who steals my phone to be able to access every other site I use.

Well given the popularity of the "remember by password" "feature" that is sort of where we are today on computers and mobile devices.

Re:Remember my password ... (1)

perpenso (1613749) | about 2 years ago | (#42627321)

err ... "remember my password"

Re:Brilliant idea (1)

Anonymous Coward | about 2 years ago | (#42627187)

Remote kill feature.

Many newer phones have them.

Re:Brilliant idea (4, Insightful)

Anonymous Coward | about 2 years ago | (#42627293)

Please explain how I can log into whatever service provides the remote kill if I can't log into my computer, my email account, or anything else. Keep in mind that I don't know my phone's MAC or SIM identification off the top of my head.

Re:Brilliant idea (4, Informative)

realityimpaired (1668397) | about 2 years ago | (#42627519)

There is a device called a "telephone" You pick up a "receiver", and "dial" a series of numbers associated with the person or company you are trying to communicate with.

Your cell phone has a similar series of numbers associated to it, with which your service provider can locate your EMEI code (which is much more useful for remote killing your phone than the SIM card). Additionally, they can burn the EMEI so that it can't be activated on other providers (at least in most of the world). If you do not know your telephone number, then they can find it with your name, your account number, and many other pieces of information you can give them. Most cell providers have an option in their IVR to report a lost or stolen phone, too, with after-hours emergency support.

Re:Brilliant idea (1)

Anonymous Coward | about 2 years ago | (#42627203)

As in "what could possibly go wrong?"... :-)

Re:Brilliant idea (1)

zAPPzAPP (1207370) | about 2 years ago | (#42627237)

Just lock the phone with a password.

Re:Brilliant idea (0)

Anonymous Coward | about 2 years ago | (#42627483)

Entering strong passwords on a phone is a pain in the ass. Especially if you have to do so every time you open it.

Re:Brilliant idea (5, Informative)

kaiser423 (828989) | about 2 years ago | (#42627447)

It really is. I love their current implementation. It's actually security done right. I use Google Authenticator on my phone. If I login from an unknown computer, it asks me for a pass code also, which I just bring up on my phone. I only need to remember the password to my phone/tablet. It's easily the most seamless and secure two-factor authentication I've ever used, and I've used a lot of them....

I also use it as a token to access a couple of other sites. I believe that Apache has a module that can sync to Authenticator. It's great two-factor.

It also comes with a list of one time codes that I can carry around for when I don't have access to my phone or tablet.

It's like a permanent key/password manager for all of Google. It'd be great to turn it into my whole life. Much easier to just de-sync the Authenticator, then re-sync rather than blow away passwords for all sites, then re-create them for all sites if something gets compromised.

TL;DR I trust Google to do this right because they're already miles ahead of everyone else.

Re:Brilliant idea (1)

codemaster2b (901536) | about 2 years ago | (#42627493)

Was my first thought too

But ... (1)

Anonymous Coward | about 2 years ago | (#42627065)

But my employer doesn't allow me to have my phone at my desk ... and if I forget it in the car I can't log into anything ... and if I lose it, WTF?

Hey, Google, stay the fsck out of my life.

Yeah yeah, we have seen this before (5, Interesting)

s.petry (762400) | about 2 years ago | (#42627073)

Every big company at some point has declared war on the password. We have smart cards, biometrics, RSA tokens, and finger paintings to prove it. None of those things work any better than a password when used alone. In conjunction with a password, we can achieve "better" security.

The logic of a password-less world is what's broken. Period, end of statement. If the logic is broken, no matter who implements the password-less solution we still end up with a broken solution.

Re:Yeah yeah, we have seen this before (5, Funny)

ColdWetDog (752185) | about 2 years ago | (#42627133)

One phone to rule them all, One phone to find them,
One phone to bring them all and in the darkness bind them
In the Land of Google where the Shadows lie.

Don't be evil!

Re:Yeah yeah, we have seen this before (1)

markdavis (642305) | about 2 years ago | (#42627225)

+1

And of course it would be Google. Because, you know, we haven't handed enough of our information to Google (and other companies) already...

Access to all your Email, all your contacts, your location, your calls, the apps you install, all your searches, all your comments on Google+, your research on Google Maps, your shopping, all your purchases with Google Wallet, tracking you with Adsense from millions of sites, storing your passwords in Google's browsers, recording your network passwords in your Android accounts, sniffing the neighborhood's WiFi, storing your photos and comments in Picasa, holding pictures of your house and cars/property in Google Earth and Streetview, recording your viewing habits on Google TV, sifting through your files stored on Google Drive, following your movements with location history, who you chat with on Google Talk and Hangouts, etc, etc, etc, etc, etc, etc, etc,.

So sure, I really think I should link everything I do to a single protected "login", that can't possibly be abused.

Re:Yeah yeah, we have seen this before (1)

Nerdfest (867930) | about 2 years ago | (#42627243)

So , "a device-based authentication protocol that is 'independent of Google, requires no special software to work — aside from a web browser that supports the login standard — and which prevents web sites from using this technology to track users" is evil? Are you guys being paid for the anti-Google FUD, or did they kill your dog?

Re:Yeah yeah, we have seen this before (1)

ColdWetDog (752185) | about 2 years ago | (#42627457)

Sir, are you actually suggesting that we should read the fine article? If so, I'm ashamed of you.

Not that I would believe Google (or anyone else for that matter) when something says they are 'independent'.

Deagol gets a new smartphone... (1)

Picass0 (147474) | about 2 years ago | (#42627495)

I hope he's careful who he shows it to. It's his brother's birthday.

Tracking (5, Insightful)

QuietLagoon (813062) | about 2 years ago | (#42627083)

... Their plan involves authenticating just once, to a single device, and then using that to unlock all of your other accounts. ...

That certainly makes it much, much easier for google to track you as you go around the web.

Re:Tracking (0)

Jawnn (445279) | about 2 years ago | (#42627253)

... Their plan involves authenticating just once, to a single device, and then using that to unlock all of your other accounts. ...

That certainly makes it much, much easier for google to track you as you go around the web.

This.
"Password-based authentication has weaknesses, therefore you should be afraid. But fear not. We, Google, the giver of all things not evil, have a solution for you. Just don't look under the cover at what it's actually doing."

Re:Tracking (0)

Anonymous Coward | about 2 years ago | (#42627273)

Good thing they're not evil.

 
Captcha: unneeded

Re:Tracking (5, Funny)

TheGratefulNet (143330) | about 2 years ago | (#42627285)

security principles for authentication:

1) what you have
2) what you are
3) what you know

for google:

1) what you have: you have a tracking device that we'd like you to always have on and always transmit your location and other info to us.

2) what you are: you are a source of marketing info to us, as well as other info we can give/sell to others.

3) what you know: you are told that we are 'not evil' and we've repeated that so many time, you just KNOW its true.

Re:Tracking (1)

QuietLagoon (813062) | about 2 years ago | (#42627399)

"flamebait" - looks like I hit a nerve.

That doesn't make sense.... (1)

mark-t (151149) | about 2 years ago | (#42627089)

If repeated authentication through passwords, by their own words, "isn't sufficient to keep users safe", then why on earth do they figure that a SINGLE authentication would be sufficient?

Re:That doesn't make sense.... (1, Interesting)

magic maverick (2615475) | about 2 years ago | (#42627161)

Think of OpenID. You have one method of authentication, and you pay lots of attention to it to keep it safe! (Don't spread your eggs around different baskets, keep them all in one, and look after that basket!)

Personally I already have a single device for all my passwords. It's called my computer. Most of my often used passwords are stored by Firefox (and protected by a master password), others are in a TrueCrypt file, less worthy of concern passwords are just stored in a note or two and saved.

Re:That doesn't make sense.... (0)

Anonymous Coward | about 2 years ago | (#42627527)

I think the point is, you can't always look after that basket. Shit happens. If shit happens and you put everything into one basket then you're really screwed.

This whole idea of single authentication fails. It's security for the lazy and those who are lazy have bad security.

Biometrics (2)

drummerboybac (1003077) | about 2 years ago | (#42627111)

Isn't there already biometrics for this? You cant forget your finger in the car, and nobody can discretely steal it. They could steal it with a pair of bolt cutters, but then you have much bigger issues.

Re:Biometrics (0)

Anonymous Coward | about 2 years ago | (#42627183)

Well, I'd rather have my password taken from me than my finger taken from me.

Re:Biometrics (0)

Anonymous Coward | about 2 years ago | (#42627193)

I've been less than impressed with biometrics. There's a very fine line between "too restrictive" (i.e., dust can lock you out) and "too permissive" in these various readers, and that doesn't take into account that your body can change over time. I have a pretty deep scar right in the middle of a tertiary finger, and I'd hate to be locked out of all my various devices just because I missed with a hammer that morning.

I think the real problem is that security is hard and takes effort, and nobody wants to expend that effort. I don't mind remembering my 30 character alphanumeric mixed case passwords. My security is worth it, and I don't want to rush over to a magic security solution if it turns out that the foolproof authentication is too convinced of its status as foolproof to handle everyday life.

Re:Biometrics (0)

Anonymous Coward | about 2 years ago | (#42627201)

Actually, that makes stealing someones identity a grievous offence.

Re:Biometrics (4, Interesting)

Nerdfest (867930) | about 2 years ago | (#42627267)

You should always use 2 factor authentication, with biometrics and with what is being suggested here. You know, both something you can lose, and something you can forget.

Re:Biometrics (1)

Daetrin (576516) | about 2 years ago | (#42627441)

For _real_ security you need three factor authentication. something you can forget, something you can lose (a finger, an eye) and something you can set on fire (keycard, phone, etc.)

(Though if you're hardcore enough to set yourself on fire to prove a point we'll let you get away with two factor authentication. Mainly because if you're that crazy we'll agree to anything you say just to get you to go away quickly.)

So I'll just have to steal a phone? (0)

Anonymous Coward | about 2 years ago | (#42627113)

How is that better?

Re:So I'll just have to steal a phone? (1)

Score Whore (32328) | about 2 years ago | (#42627301)

It's better because every time you log into some sit Google will know about it. How is this not better?

(I swear to god they must have a standard policy that everyone who works for the company needs to figure out additional ways to get Eric's cock into more assholes.)

Re:So I'll just have to steal a phone? (1)

TheGratefulNet (143330) | about 2 years ago | (#42627357)

it would seem that the process of getting hired includes 'does the prospective employee willingly drink the kool aid?'.

you really have to, to work there. so much evil going on, you either are very good at ignoring it and just happy to have a paycheck and good job entry on your resume; or you are void of ethics and would do anything for money, no matter what ethics are involved.

I wonder how long socially concious people last at google? I'm willing to bet quite a few get tired of the PR lies and eventually leave.

Great idea! (2)

fredprado (2569351) | about 2 years ago | (#42627117)

Now I will have to give my full identity to any site that today requires just an e-mail account to register. An identity that will be the same I will use to make payments. What could go wrong with that?

Re:Great idea! (1)

Maximum Prophet (716608) | about 2 years ago | (#42627309)

Now I will have to give my full identity to any site that today requires just an e-mail account to register. An identity that will be the same I will use to make payments. What could go wrong with that?

It wouldn't have to. As long as the device can verify that you really are the same Bozo123 today that they talked to yesterday, and verify to you that the clowncollage.com that you are logged into today is the same that you used yesterday, it would be sufficient. The device could easily allow Bozo123, Bozo222, and Bozo666 to have independent authentications.

Of course if you link you Bozo123 account to your johnsmith@gmail.com account, then they can follow you.

windows has... (0)

Anonymous Coward | about 2 years ago | (#42627119)

...Trust this pc

Anonimity (4, Insightful)

Anonymous Coward | about 2 years ago | (#42627125)

Passwords are bad because they allow any individual to create as many distinct accounts as he or she wants. Require a hardware device per account and you now need an investment for every distinct account. Google wants every user to be identifiable across all sites/services using the same ID.

1 TB Encryption (0)

Anonymous Coward | about 2 years ago | (#42627137)

SexGodSecret1234

Please place your palm on the scanner look into the eyepiece and sing your social security number.

uh oh (1)

Mike Frett (2811077) | about 2 years ago | (#42627153)

So I will not be able to access my account at all!. Since I have no cellphone, nor do I want or need one. Interesting.

Re:uh oh (1)

Dexter Herbivore (1322345) | about 2 years ago | (#42627315)

You'll need one if this becomes common practice.

Google is clueless (0)

Anonymous Coward | about 2 years ago | (#42627197)

The more announcements that I read like from from Google, the more I am convinced that they simply have no clue about the real world. Trying to require that everyone carry with them a suitable device for authentication is simply not going to work for all the obvious reasons. Convinces me more and more that Google is on the way down.

Already Done (0)

Anonymous Coward | about 2 years ago | (#42627217)

A well established cryptosystem is already established and the crypto-token sits in the pocket of most europeans. Chip&Pin credit cards have the crypto inside to securely authenticate people, and most people in the western world have a credit card. The tokens are signed by the banks, and a rigid structure already exists to authenticate the users. a 15 euro reader (retail price) is all most westerners would need to buy to do this, if the retarded Americans would go to a chip&pin card instead of paying billions for credit card fraud.

Most transactions that reaquire good authentication end up being *gasp* financial, and by adding the reader, this prevents a lot of methods of using stolen credit card numbers. This doesn't require a cell phone or some other expensive device, just a fucking credit card. Hell, my stupid work blackberry even has a bluetooth smartcard reader.

This is a solved problem, in europe. We just have to force the Americans to go along with banking security. You lose no more anonymity than you do with banking, which is to say "all". public key cryptography already applies, and with echelon, there's no hope of real anonymity if someone has a warrant anyway.

Re:Already Done (1)

Dexter Herbivore (1322345) | about 2 years ago | (#42627333)

... and with echelon, there's no hope of real anonymity if someone has a warrant anyway.

With Echelon, who needs a warrant?

Has to inform the user (1)

Maximum Prophet (716608) | about 2 years ago | (#42627223)

The device would have to alert the use to each authentication and give the option to *not* authenticate to a particular site. I'm not sure relying on the host computer would be sufficient. The device may need it's own display and a few keys.
And of course, it would have to have open software with open standards so that anyone could verify that it it working.

For the last time Google! (4, Insightful)

Sydin (2598829) | about 2 years ago | (#42627241)

I really mean it: I don't want to have to login to the internet. You keep trying to get me to do it with Chrome, so I switched from that, but now you're going to badger me about this for my phone, too? Sometimes I want to surf anonymously. Sometimes I don't want Site X and Site Y knowing that I'm the same person logging into both. And I can say for certain that all the time, I don't want to be tracked by you so you can present me with more "targeted ads" to give me a better user experience. Let's not even get into what happens if my phone gets stolen, and suddenly all my consolidated information is at some stranger's fingertips. There are far, FAR too many problems with centralized authentication, and I'm really getting sick of Google trying to force it down my throat.

Takes the entire Internet down (1)

Anonymous Coward | about 2 years ago | (#42627259)

... by slashdotting Yubico website (Error 503 Service Unavailable as of now).

Do not RTFA (5, Informative)

Night64 (1175319) | about 2 years ago | (#42627263)

Would you all PLEASE do not RTFA this time? I cannot, for the love of God, read another whiny story about "I'm Matt Honan and I was fucked in the ass (metaforically speaking) by a 15 year old". And if this post get slashdotted, Wired will post another 100 stories about that. So please DNTRFA!

K3wl! Except.... (1)

whitroth (9367) | about 2 years ago | (#42627271)

...for the half or two thirds of us that don't carry, or want, a "smart" phone.

                  mark, not being tracked

retina? (2)

genericmk (2767843) | about 2 years ago | (#42627279)

Everything has a camera on it these days. Why not authenticate with your retina? Authenticate everything from an authenticate device as Google proposes but don't make the Android phone the centerpiece of authenticating everything.

Re:retina? (0)

Anonymous Coward | about 2 years ago | (#42627379)

What happens when they crack this method? Do you believe this could never be cracked? You can't just change your retina...

To: Our Totalitarian Overlords (1)

Jawnn (445279) | about 2 years ago | (#42627323)

From: Overlordian Technology Think Tank Staff Re: "embedded finger ring technology" Maybe now we have the right combination of convenience and social climate to get those sheep to consent to being chipped or at least bar-code-tattooed.

Re:To: Our Totalitarian Overlords (1)

dkleinsc (563838) | about 2 years ago | (#42627413)

It's not supposed to go in your finger, silly. The correct place for a bar code tattoo is on the right hand or on the forehead, as is described quite clearly in Revelations 14:9 [skepticsan...dbible.com] .

Moving closer to Big Brother (1)

Anonymous Coward | about 2 years ago | (#42627325)

One global identity used to track a user across every site. Your (insert embarrassing site here) account is now tied to your FaceBook by the one device authentication. Anyone else see the problem with this?

Looks like... (0)

Anonymous Coward | about 2 years ago | (#42627339)

Looks like someone saw what Firefox Sync did and said, "Yeah, let's do that..."

passwords suck (0)

Anonymous Coward | about 2 years ago | (#42627341)

And with mobile devices, can't even type them in. and why the ***** thing?? can't even see what the password I am typing and most of time there are not eyes watching me, especially on my phone. and changing passwords???? how is that more secure? I use a 4 digit number and a word for the site for all of my passwords and call it good enough. like slashdot is 9999slashdot but not 9999 and I use same 4 digit number everywhere. for banks and so on I put the 4 digit number in the middle. who cares?

Sounds simple (0)

Anonymous Coward | about 2 years ago | (#42627361)

Just give me a unicorn and I might be able to transport your letter a few metres.

Really, an 100% secure app running on unsecured smartphone, connected to the Internet communicates secretely to your 100% secure browser , running on your Internet-connected, unsecured PC; how could that not work?

Yaaay! (0)

Anonymous Coward | about 2 years ago | (#42627367)

Yet another federated single-signon scheme I have no intention of ever using.

Fail harder, GOOG. I don't trust my overall online identity to you any more than I'd trust Microsoft or Facebook. I like my online identity fragmented. I like my anonymity, and federation defeats that.

I'd no more trust a SSO than I'd trust a single key to unlock my house, my car, my truck, my safety deposit box, and my wife's chastity belt.... especially since I won't actually be holding the key; Google would be. Yaaay.

Thanks, but...um, hells no.

Finger ring is not the only option. (1)

140Mandak262Jamuna (970587) | about 2 years ago | (#42627377)

We'd like your smartphone or smartcard-embedded finger ring to authorize a new computer via a tap on the computer, even in situations in which your phone might be without cellular connectivity."

The smartcard can be embedded in the finger itself, instead of a ring on the finger. In fact it could be embedded anywhere in the body and it could be used identify you uniquely and track you. For your own safety and to provide for the completely unbreakable security, you would not be able to find the embedded smartcard yourself. (no, not even your ten year old son, who could build protocol droids from scrap parts, could build a scanner to find it). This is what the future is going to bring to us, it is as clear as the two suns on the sky.

Kerberos (1)

TheNinjaroach (878876) | about 2 years ago | (#42627393)

Didn't RTFA, but it seems like Kerberos has solved a big chunk of this problem. Authenticate to your device once, pass encrypted tickets around that a) don't contain any portion of your password, and b) are cryptographically verifiable in an offline manner. A big problem I see with it is, who wants to manage that KDC and who would trust them?

how about REMOVING ARBITRARY PASSWORD LIMITS! (5, Insightful)

Umuri (897961) | about 2 years ago | (#42627395)

Relevant xkcd [xkcd.com]
But seriously, how many times have you seen minimum (ok, can see a point here) or maximum (WTF) limits on a password length? Or requirements of what it can or cannot contain.

Is there any reasonable excuse for why a password must not contain certain characters, besides breaking poorly made scripts? I mean password security 101 says they'll hash it anyway, so why should it matter?

Nothing but passwords (0)

Anonymous Coward | about 2 years ago | (#42627401)

Fuck all of this. No tokens, no cookies, no one time auth, no security questions no PINs, no N factor auth.

Just plain rocksolid passwords used and stored using brains inside encrypted containers with a master key.

Why would we need anything else ? More factors and complications always means more points of failure.

pertender (0)

Anonymous Coward | about 2 years ago | (#42627443)

I learned a lot about pretending to be someone else a while ago when I worked at a university.

A female professor wanted a very generic email address so that she could participate on political forums without anyone knowing her race or gender. It was to protect not just her politically but physically as well.

Cell phones are not secure (0)

Anonymous Coward | about 2 years ago | (#42627445)

Cell phones can be lost or stolen.
Cell phone data can be tapped by applications.
Cell phone manufacturers and cell phone OS developers do not use good security practices in their designs.

Am I the only one that sees a problem with this? (1)

Dcnjoe60 (682885) | about 2 years ago | (#42627475)

Suppose we use our phones instead of individual passwords.

From a technical side, what is to stop somebody from getting their own phone running numerous passwords through it while intercepting the key that comes out to determine the algorithm used. Once you have the algorithm, you can spoof other systems, can you not?

From a user side, how is having a single password for my phone any more secure than using the same password on all the sites I visit?

Finally, from a paranoid side, the US courts have already ruled that what is on your cell phone does not need a search warrant. What is to stop the authorities from using your phone to obtain access to everything?

I'm sure there are many more "sides," but you get my drift.

abracadabra (1)

mynameiskhan (2689067) | about 2 years ago | (#42627497)

By the way, Eric Schmidt's gmail password is... abracadabra. And he shares it with Page and Brin.

The general public can't handle security. (0)

Anonymous Coward | about 2 years ago | (#42627505)

The general public is not going to adopt multifactor authentication. They are so deceived into believing that "What you know" is secure. The Idea of adding "What you have" to the process is the digital equivalent to landing on the moon to some people. It is truly unfortunate.

On a side note. I couldn't really care less about peoples personal security. It's a personal choice and a lesson that most will have to learn the hard way. Untrained people will ALWAYS take the path of least resistance.

Conversely, Once a persons information is in the hands of a third party it should be mandated to use multifactor authentication & Encryption. That is our responsibility as IT/IS Professionals. There is no excuse.

Good luck Google.

You mean a dongle.... (1)

oh_my_080980980 (773867) | about 2 years ago | (#42627511)

...which has been tried before. Microsoft also tried a software approach called Passport.

Honestly, there isn't anything better than a password.

Unless you want to get into retinal scans :)

Look, over there! while I steal your credentials! (0)

Anonymous Coward | about 2 years ago | (#42627517)

Ok, so let me get this straight. Rather than solving the cookie problem with mandatory SSL (and encryption in general) everywhere and use of existing tech like pub/priv (asymmtric+symmertic) crypto, Google is advocating using either a phone, which your government/police/phone company can break into and reprogram at any time with a few key strokes (or be stolen and memory dumped). Or, they want you to wear a ring that, should you ever be arrested, the police can also just take from you and use to log into anything you own without so much as even a password to prevent non owner access?

Yeaaaaah, suuure...we'll get right on that Google.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?