Physical Tokens Set to Become a Real Alternative to Passwords?

By January 15, 2014

Though personal questions can help to create a secondary bulwark against hacking when a user connects to a system from an unidentified terminal, the use of physical keys or ‘tokens’ looks likely to provide more secure two-factor identity authentication.

According to an article in the international science magazine New Scientist, ‘password’ and ‘123456’ are the most commonly used character combinations for passwords! The huge number of passwords required to access an array of online services ranging from professional to purely private use makes the whole process of creating successive passwords so difficult that people tend to oversimplify, and hackers are not slow to take advantage of this opportunity. However, the use of physical keys or ‘tokens’ as a second layer of user authentication might provide a solution to the password fiasco. The giants of Silicon Valley are already getting really interested in this approach. John Flynn, a security engineer at Facebook, is quoted as saying that this system provides the smoothest login experience he is aware of. At Facebook, all employees are already using this kind of login system.

Creating an unclonable token

At the same time Google is currently trialling YubiKey, a small cryptographic card that plugs in to a USB port and mimics a keyboard entering a single-use password into the authentication field. In principle, however, this could be duplicated. Californian startup Verayo is working to get around this risk, producing unique authentication keys based on the fact that the distinctive physical properties or imperfections of an object – for example slightly varying wire thickness in a microchip – uniquely alters an electromagnetic signal passing through it. The idea is that when a user carrying Verayo’s ‘Opal’ token comes within three feet of a computer or tablet, the device will bounce a Bluetooth signal off the token and check that the unique rebound signal matches the pre-recorded pattern, thus providing secondary authentication to complement the password. Meanwhile a variation on the Verayo Opal project is currently under development at the California Institute of Technology in Pasadena.  Their system uses light scattered through liquid crystals, which has the advantage that it offers much more scope for randomicity than a silicon chip and therefore makes it even more difficult to clone.

Combating product counterfeiting

Going beyond computer logins and into the real world, this type of physical authentication token can also be used to help combat counterfeiting, verifying the authenticity of products, such as wine, that are prone to counterfeiting. Embedding the widget into the cork of a wine bottle will enable buyers to check its authenticity from one end of the supply chain to the other. What happens however if a token is lost or stolen?  As soon as its disappearance is reported, that particular key can be deleted from the system by the company’s servers in an instant. In any case the prospect of an unauthorised person trying to use a lost or stolen user-authentication token to enter a computer system should not be too worrying…as long as the first-level password remains secret.

Legal mentions © L’Atelier BNP Paribas