Our lives are becoming more tightly integrated with online services every day. From email, calender, and to-do lists, to grades, banking, and bill payment, almost everything can be done via some web portal on some web server. To protect ourselves from identity theft we're told we need to use passwords that are long, contain mixed-case lettering, numbers, and even symbols — in other words, we need passwords that are difficult for us to remember. Then, to make matters worse, we're told that we need to use different passwords for each site so we minimize the potential impact if any one of those sites gets compromised.
"Compromised" is a "friendly" word for "hacked", by the way.
Even still, passwords are a pain in the neck. To help us remember all these different passwords our web browsers store them for us. Unfortunately, all it takes is one piece of malware to commandeer our computer and all of our stored credentials are at risk. Are we safer now than we were before?
No, I don't think we are.
To combat all this, Google has been experimenting with a new 2-step sign-in. I happen to use it and it annoys the living daylights out of me. Every time I set up a new tablet or flash a new ROM on my phone I've got to log in to my Google Account with my username and password, then I'm asked to provide a special code. This code could come from the Authenticator app on my phone (unless that's the device I'm trying to set up), a text message or phone call to the number that I have on file, or one of several "backup codes" that Google has provided for me.
Sounds complicated, right? It is. To make matters worse, not all of Google's products and services work with this higher-security, so I've got to create an application specific password for those cases. I've already sworn it off twice, but here I am using it again — all in the name of security.
That's were true "security" really comes in to play, though: through multiple, disconnected forms of authentication. Google Authenticator is the first step in that direction, but it still requires that you have a user name and password in addition to the extra component.
"Along with many in the industry, we feel passwords and simple bearer tokens such as cookies are no longer sufficient to keep users safe," said Google vice president of security Eric Grosse and engineer Mayank Upadhyay. I can't say that I disagree. However, the solution has to be something simple, yet significantly more secure.
Google's approach to security centers around a physical device. Currently that could be your smartphone, but even then you'd have to protect it with a secure password rather than a face unlock, pattern, or pin — and who wants to do that. Another idea is a chip that's embedded in a physical device that you'll always have with you, like a ring. That ring could use some wireless technology such as NFC to respond to requests for a time-limited token that would identify the user and allow them access to whatever sites or services were set up to accept such a credential.
It won't happen overnight, that's for sure, and there are limitations of using a ring for this purpose. In the end, however, I think we can all agree, we need to do something to better secure ourselves online, and more complex passwords aren't the answer.