杏吧原创

Physical keys could take away the pain of passwords

If you can't remember all your passwords, take heart: hardware tokens that can't be cloned will soon offer secure access to your digital life
Unlocking a safer digital future
Unlocking a safer digital future
(Image: K-Photos/Alamy)

WE ARE hopeless at computer security: 鈥減assword鈥 and 鈥123456鈥 are still the most common passwords, despite being trivial for anyone to guess. Many of us use the same login for many accounts because remembering multiple complex passwords is a pain.

What if you could simply use a real object to log in? So-called physical key authentication is already used by staff at Facebook, and Google is planning to roll it out to its users in 2014. Some of these keys or 鈥渢okens鈥 will rely on their physical structure to make them unclonable, and could be used not just for computer logins but also to verify the authenticity of products that are prone to counterfeiting, such as wine.

Google, along with many other providers of email or online shopping services, is already trying to strengthen password security using an approach called two-factor authentication. If someone logs into their Gmail account from an unfamiliar computer, Google will ask them to type in an additional piece of information. This could be a code sent via SMS to their cellphone or one generated periodically by the Google Authenticator app.

Physical tokens will soon be part of this process. Google is now trialling , a small cryptographic card that plugs in to a USB port and mimics a keyboard entering a single-use password into the authentication field. At Facebook, all employees are already using such cards for two-factor authentication.

John 鈥淔our鈥 Flynn, one of Facebook鈥檚 security engineers, says the system provides the smoothest login experience he is aware of. 鈥淲e鈥檙e keeping an eye on emerging authentication technology. Hardware authentication is one of those,鈥 he says.

But YubiKeys can, in principle, be cloned, even though it is difficult to do so. Not so with keys from a California-based start-up called , which will launch its first consumer devices next April.

Verayo鈥檚 authentication key, called the Opal, is based on research published over a decade ago by Srini Devadas of the Massachusetts Institute of Technology. Devadas suggested that the distinctive physical properties of an object 鈥 for example, slightly varying wire thickness in a microchip or small variations in crystal structure 鈥 would uniquely alter an electromagnetic signal passing through it. That provides the basis for an unclonable key.

聯The distinctive physical properties of an individual object could form the basis of an unclonable key聰

Each Opal token is the size and shape of a bar of hotel soap, and contains a microchip with tiny imperfections that arise during manufacturing and are unique to itself. The device鈥檚 battery, activated by shaking, lasts for two years. You shake the device again to have it pair with a nearby computer or tablet via Bluetooth. 鈥淎s long as your device is within three feet of Opal, you are good to go,鈥 says Tony Le Verger, Verayo鈥檚 director of strategy. 鈥淵ou don鈥檛 even know that two-factor authentication is going on in the background.鈥 The computer or tablet reads the Bluetooth signal bouncing off the Opal and, if it matches a predetermined pattern, accepts you as a trusted user.

As well as promising to run more smoothly than YubiKeys, the Opal has a higher level of security, according to Verayo. 鈥淭here is no secret key to attack or extract from the token,鈥 says David M鈥檙a茂hi, the company鈥檚 chief technology officer.

A variation on this approach is being developed by Roarke Horstmeyer and colleagues at the California Institute of Technology in Pasadena. Their system uses light scattered through liquid crystals, which has the advantage of offering much more scope for randomness than a silicon chip. A device the size of a USB key, for example, requires gigabytes of data to characterise its properties. That data can then be used as a one-time pad 鈥 a reference 鈥渢ext鈥 for encoding information up to the size of the pad itself. The system is therefore very hard to crack, but also hard to implement due to the impracticality of storing and exchanging huge keys ().

Tying your digital life to a physical object can seem counter-intuitive, though. What happens if you lose your key or someone steals it? As with house keys, a digital version of changing the locks is in order. 鈥淚f you lose it, we kill it through our servers in an instant,鈥 says Le Verger. 鈥淣o one can use it. It鈥檚 dead.鈥

Even before its launch, Verayo鈥檚 technology is already finding an interesting use: tackling the problem of counterfeit wine in China, where the growing taste for fine wine is leading to cheap substitutes being sold in knock-off bottles. 鈥淲e are working with a Japanese company now to embed our technology into the cork of the bottle, to allow the buyer to check authenticity with their smartphone,鈥 says Le Verger. 鈥淲e鈥檝e delivered more than 15 million chips this year.鈥

Le Verger says the counterfeit problem in China is an enticing one for Verayo to solve, as their unique chips are affordable to mass-produce and easy for consumers to use. 鈥淚t鈥檚 security you can do at the end of the chain.鈥

Other products, too, may need to have their origin confirmed because of a dubious supply chain. 鈥淚 was talking about white wine, but baby food in Asia can have dangerous components too,鈥 Le Verger says.

When me and my dad were hacked

My father and I both had our passwords stolen in the recent that saw hackers make off with tens of millions of account details. According to online security site , my father鈥檚 password was common enough that 97 other people in the breach had the same one.

Major security breaches are one of the main ways for hackers to gain access to other people鈥檚 accounts. If your email address shows up on sites like , then it鈥檚 a good idea to reset your passwords.

Good password 鈥渉ygiene鈥 is vital: don鈥檛 reuse passwords on different sites, especially for services like banking, and ensure your passwords are long and unguessable.

Topics: Computer crime