Google Seeks To Usher In Age Of Physical Account Authentication With ‘One Ring’


Ok, Google is not actually bringing out a device called the One Ring, but the tech giant’s idea circles around a finger ring that could be used as an alternative to digital passwords. This idea or rather a research paper written by Google engineers will be published later this month in the IEEE Security & Privacy Magazine. Written by Google Vice President of Security Eric Grosse and Engineer Mayank Upadhyay, the research paper will speak about how in the future passwords could be completely replaced by more secure ways of user authentication techniques.

If there is one thing that 2012 taught us was passwords are not really safe. Last year saw many high profile cases of account hacks, including Yahoo, Sony PlayStation and more. While logging into your Facebook or Gmail account is made easy by simple and cost effective passwords they are by no means safe and are as good as non existent when the stakes are much higher than just Facebook accounts.

“Along with many in the industry, we feel passwords and simple bearer tokens such as cookies are no longer sufficient to keep users safe,” Grosse and Upadhyay explain in the paper.

Google is thus currently working on making its accounts compatible with physical authentication hardware such as cryptographic thumb drives and cards. A physical passkey such as the Yubico need only be registered once, after which they do not require to connect to the net and can unlock multiple accounts.

“We’d like your smartphone or smartcard-embedded finger ring to authorize a new computer via a tap on the computer, even in situations in which your phone might be without cellular connectivity,” reads the article.

The challenge is to take this approach beyond just Google. For any alternative and universal authentication technique to achieve success it has to be adopted by as many parties as possible. To achieve this, Google has developed a standard protocol that will make use of the browser and will not require any other software and will hence work with multiple accounts. Furthermore, this technique also has the added advantage against phishing.


More Information: Wired

One Reply to “Google Seeks To Usher In Age Of Physical Account Authentication With ‘One Ring’”

  1. Right now, to use one’s credit card, one needs to expose one’s name, CC#, security code, and, with online payments, your mailing address.

    I want to do away with exposing all this personal information. Imagine if instead of us giving all this personally identifying data to every merchant we want to do business with we do this instead.

    • We attempt to buy something.
    • The merchant determines a bill amount, $100.00 say.
    • The merchant sends a request for payment up into the credit cloud.
    • The credit cloud (their bank participating in the cloud) transmits back a transaction ID.
    • The merchant presents this transaction ID to the us, the customer.
    • Now, using our smartphones, we either scan a QR code with the embedded transaction ID (on the receipt say), or tap the merchant’s point of sale device to receive a NFC data pulse, or we manually type in the transaction ID.
    • Using a credit cloud enable payment app on our smartphone we connect to the cloud and authorize the delivery of payment to the merchant using the transaction ID delivered by the merchant.
    • The merchant is notified that that transaction ID was activated and payment was received.
    • We walk out with our $100.00 purchase without ever sharing a bit of personal information with the merchant.

    The merchant got paid. Our account was debited and the merchant’s information recorded in our credit cloud records (part of the exchange of the transaction ID). We’re happy with our purchase and remain completely anonymous to the merchant – just like cash.

    It gets better.

    Anyone can generate a request for payment transaction ID using the credit cloud.

    Say I’m selling my used pool table on CraigsList. A buyer shows up, and offers me $300 for it. I say OK and tap in a request for payment for $300 and get a transaction ID. My cloud payment app presents a QR code with the transaction ID embedded. The buyer uses their own phone to snap a pic of the code and then authorize payment through their copy of the cloud payment system. Ding, I get a message – payment received. The pool table is theirs.

    This could eliminate Square tomorrow. It would make every phone a point of sale system with a simple payment app.

    Credit card card companies still get their cut, charging the vendor or the customer a % of each payment. And or a transaction fee.

    Even online sales would work the same way. Amazon doesn’t need my credit card number. They only need to present a QR code onscreen that I can use my phone to snap a picture, authorize payment, and pow!, transaction done.

    The Credit Cloud returns the anonymity of cash to customers. It protects our privacy and eliminates data loss breaches of personally identifying information.

Comments are closed.