Once again, Google is blazing a new technology path, not necessarily by innovating, but by having the size and influence to make change happen in an industry that seems at times to get stuck in a vicious circle. In this particular case, technology has been navel-gazing on the password issue for years despite having the solution in hand decades ago: multi-factor authentication. In its most simplistic and well known form, you have probably been using two-factor MFA for years without even realizing it: your ATM card and PIN. In MFA terms, this is “something you have” (your ATM card) and “something you know” (your PIN). Without both present, authentication doesn’t happen.
Using its thousands of employees as guinea pigs since early 2013, Google is testing a technology platform it plans on releasing in 2014 based on MFA. The “something you have” in this case is a small USB FOB that is paired with your user login and a simple 4-digit PIN (“things that you know”) that authenticates you on a computer or an NFC-capable mobile device. If this sounds familiar, it may be because this device I wrote about previously does essentially the same thing. Instead of having to remember a bunch of different passwords, whenever you needed to prove who you are on the web or in an app, you could plug in your Yubikey (or tap your Nymi!) and viola, “Identity Verified!”
What this means for you:
The Yubikey Neo isn’t available yet, and Google hasn’t given a firm date as to when it will be available other than “2014”. Also, the utility of the device is highly dependent on a wide variety of services adopting the authentication platform, so even if they made it available as early as next month, you may find it to be somewhat useless until your favorite providers implement the technology, if they do at all. If you want to show your support for the death of the password, you may want to jump on the Nymi bandwagon, as even if the product never gets widely adopted, you can still accessorize with a wearable conversation-piece!
In a move that surely caught Hollywood by surprise, Canadian company Bionym has announced the imminent arrival of a biometric authentication device dubbed “Nymi” that relies not on retinal scans or fingerprints or even handprints, but upon the beating of your heart. As with many things human and organic, the particular rhythm of your cardiac system is unique to you, and the mad scientists at Bionym are leveraging this fact as part of a 3-factor authentication system that will allow you to use the bracelet for a variety of applications, not the least of which will be unlocking your devices, accounts and just about anything that can be communicated to via bluetooth or NFC.
What this means for you:
Just about everyone, including yours truly, grumbles about how inconvenient password authentication really is, despite knowing just how bad it could be without them. Nymi has the potential to leverage biometric security measures in a way that doesn’t rely on easily defeated fingerprint readers or expensive and uncomfortable body part scanners. This type of 3-factor authentication puts a twist on traditional two-factor methods (password + device) and instead substitutes your cardiac signature plus physical contact with your skin for the password to unlock the Nymi, which is also tied to another device like your smartphone for a third verification. Absence of any one of the 3 factors make authentication impossible, and mere possession of the device doesn’t prove ownership as it does for current-gen proximity devices like the Skip.
It almost sounds too good to be true, and the demo video released by the company has a distinct sci-fi feel that will probably provide at least one eyebrow-raising moment for any first-world citizen. But when you stop to think about the various demonstrations, each one already has an existing, real-world corollary that while maybe not in widespread use yet, could easily become commonplace tomorrow, especially if Nymi takes off. I believed enough in the promise to pre-order mine (#1141). Heck, for $79, at minimum it will make for a great conversation piece at parties, and if all it does is keep my cell phone securely and safely unlocked while I’m near it, I’ll consider it money well spent.
Motorola has recently announced a near-field communication (NFC) device called the “Skip” which can be paired with their new Moto X smartphone to allow for quick unlocking of a PIN-protected device. The small wearable device also comes with a handful of “Skip Dots” which are smaller versions of the Skip that can be placed at frequently visited locations like your car or desk, allowing the same, “tap to unlock” functionality offered by the Skip device. According to Motorola, the Skip will supposedly save the average user quite a bit of time, based upon a calculation that we spend on average 2.9 seconds punching in our PINs up to 40 times a day.
What this means for you:
This particular idea isn’t new. NFC dots/stickers have been around for awhile, and many Android phones feature the capability of using the presence or absence of NFC points to give Android phones locational awareness at a level much finer than afforded by GPS. Depending on how they are programmed, Android phones can automatically unlock themselves when near specific dots, or enable Bluetooth when near a dot placed in a car, etc. The problem, as you can imagine, is that it gives thieves and malicious actors the ability to unlock a stolen or misappropriated phone merely by possessing the “Skip” itself. Seeing as it’s attached via magnets, and likely to be near the phone itself, gaining both items gives the possessor the literal keys to your smartphone’s kingdom. The Skip Dots also add another easy vector for malicious actors who are familiar with the phone owner, such as a co-worker, fellow student or roommate, and take advantage of an unattended phone and a known Skip Dot location.
Smartphone PINs are there for a reason: to make it difficult to unlock your phone. What’s the point of putting a lock on your front door if you are going to leave the key sitting in plain view for anyone to use? My advice to you: don’t use devices like the Skip (or any NFC device) to bypass security. It’s there for a reason, and imagine how inconvenienced you would be if your phone (and everything on it) was compromised.