Once again, Google is blazing a new technology path, not necessarily by innovating, but by having the size and influence to make change happen in an industry that seems at times to get stuck in a vicious circle. In this particular case, technology has been navel-gazing on the password issue for years despite having the solution in hand decades ago: multi-factor authentication. In its most simplistic and well known form, you have probably been using two-factor MFA for years without even realizing it: your ATM card and PIN. In MFA terms, this is “something you have” (your ATM card) and “something you know” (your PIN). Without both present, authentication doesn’t happen.
Using its thousands of employees as guinea pigs since early 2013, Google is testing a technology platform it plans on releasing in 2014 based on MFA. The “something you have” in this case is a small USB FOB that is paired with your user login and a simple 4-digit PIN (“things that you know”) that authenticates you on a computer or an NFC-capable mobile device. If this sounds familiar, it may be because this device I wrote about previously does essentially the same thing. Instead of having to remember a bunch of different passwords, whenever you needed to prove who you are on the web or in an app, you could plug in your Yubikey (or tap your Nymi!) and viola, “Identity Verified!”
What this means for you:
The Yubikey Neo isn’t available yet, and Google hasn’t given a firm date as to when it will be available other than “2014”. Also, the utility of the device is highly dependent on a wide variety of services adopting the authentication platform, so even if they made it available as early as next month, you may find it to be somewhat useless until your favorite providers implement the technology, if they do at all. If you want to show your support for the death of the password, you may want to jump on the Nymi bandwagon, as even if the product never gets widely adopted, you can still accessorize with a wearable conversation-piece!
In a move that surely caught Hollywood by surprise, Canadian company Bionym has announced the imminent arrival of a biometric authentication device dubbed “Nymi” that relies not on retinal scans or fingerprints or even handprints, but upon the beating of your heart. As with many things human and organic, the particular rhythm of your cardiac system is unique to you, and the mad scientists at Bionym are leveraging this fact as part of a 3-factor authentication system that will allow you to use the bracelet for a variety of applications, not the least of which will be unlocking your devices, accounts and just about anything that can be communicated to via bluetooth or NFC.
What this means for you:
Just about everyone, including yours truly, grumbles about how inconvenient password authentication really is, despite knowing just how bad it could be without them. Nymi has the potential to leverage biometric security measures in a way that doesn’t rely on easily defeated fingerprint readers or expensive and uncomfortable body part scanners. This type of 3-factor authentication puts a twist on traditional two-factor methods (password + device) and instead substitutes your cardiac signature plus physical contact with your skin for the password to unlock the Nymi, which is also tied to another device like your smartphone for a third verification. Absence of any one of the 3 factors make authentication impossible, and mere possession of the device doesn’t prove ownership as it does for current-gen proximity devices like the Skip.
It almost sounds too good to be true, and the demo video released by the company has a distinct sci-fi feel that will probably provide at least one eyebrow-raising moment for any first-world citizen. But when you stop to think about the various demonstrations, each one already has an existing, real-world corollary that while maybe not in widespread use yet, could easily become commonplace tomorrow, especially if Nymi takes off. I believed enough in the promise to pre-order mine (#1141). Heck, for $79, at minimum it will make for a great conversation piece at parties, and if all it does is keep my cell phone securely and safely unlocked while I’m near it, I’ll consider it money well spent.
Apple has joined the growing ranks of digital services enabling two-factor authentication as a means to protect their customers from account theft. Two-factor authentication has long been a staple of secure corporate and government networks, and employs a basic mechanic of password plus a randomly-generated authentication code that is delivered to a device that you must have in your possession at the time of authentication. In the past, this device has traditionally taken the form of keychain fobs and cards whose sole purpose was to generate numeric keys constantly, but this same functionality can now be delivered through apps that are installable on smartphones, via SMS message to registered cell phones, or even via automated voice calls to your home or office phone.
What this means for you:
In Apple’s case (as with services like Gmail, Facebook, and many massive, multiplayer online games like World of Warcraft), two-factor authentication is an opt-in service, and is not enabled by default with your Apple ID/iTunes account. Enabling the extra security requires you register one or more cell phones with Apple that will receive your authentication code via SMS. Should you do this? If you use services that require an AppleID (iTunes, iCloud, Mac.com, etc.) with any frequency, and especially if you have iTunes credit banked, you should absolutely enable two-factor authentication, especially if the account is tied to a core service you rely on, such as a Mac.com email address, or iCloud for your iPhone and other Apple devices. Two-factor security makes your AppleID (or any other account like Gmail, etc.) that much harder to hack. There will be some inconvenience, especially if you are in a hurry to access your account and have to hassle with the extra security code entry, but imagine the alternative if your account is hacked.
With greater security comes less convenience, a fact of life in this digital age, and not something that will change in the foreseeable future without a significant evolution in security technology.
Image courtesy of Stuart Miles / FreeDigitalPhotos.net