The world is moving away from physical (hard) lock and key security systems to virtual (soft) password/biometric oriented authentication mechanisms. The problem with the former is that criminals have come up with break in tools ranging from cutting out the locks to compiling master keys. The latter has problems ranging from people choosing passwords e.g. 123456 and password that criminals do not take two seconds to second guess to deploying a number of hacking schemes to break into the secured systems.
…security researcher Jeremi Gosney
took a look at the stolen data and found that the most popular user password was “123456?, with “password” not far behind. It’s a given in the security industry that when consumers have a choice between safety and convenience, the latter usually wins.
When it comes to passwords, the fact that users prefer convenience over password strength has made Google to develop a hardware based product named the YubiKey Neo based on Universal 2nd Factor (U2F) for identity verification. The YubiKey Neo is a gadget plugged into the computer via the USB port, and the user allows the YubiKey Neo to access the Google account in question by entering easy to remember PIN. The security in this system is that for one to access a Google account, one has to have both the YubiKey Neo and know the PIN. One may think of YubiKey Neo as similar to authentication mechanism used by Safaricom for M-PESA. To access M-PESA, one must have the physical SIM card and at the same time know the M-PESA key. So far there have been very few instances where people have lost money on M-PESA from hacking attempts. I have only attended to one case where someone lost Shs 20,000 but she decided to trust the agent with her phone, phone’s lock PIN, and the M-PESA PIN. The agent used these to get a new SIM card and used the new SIM card to transfer the Shs 20,000 to two different numbers. Since the follow up involved Kenya Police, she never recovered her money.
YubiKey Neo also works for smartphones via NFC technology in case you want to use it to access online accounts via phones has downsides too: 1. It can be easy to access spouse’s or close friend’s online communications and 2. Carrying an extra device as a password (key) is strenuous. The first point is true given that after living with people for a while, there is always that trust that develops where couples tend to allow access to accounts like banks, M-PESA etc mostly because they require a key (e.g. ATM cards) and accompanying PIN (it is easier to share PIN based systems than password based – my opinion) so couples will find themselves sharing their Gmail access credentials more often. The second point is basically the reason tech innovations around secure access are running away from the lock and key paradigm to smart oriented authentication protocols that do not require physical locks and keys. YubiKey will basically add to your bunch of keys an additional and technically unwarranted weight.
What I would request from Google and the Internet community in general is that they should seek another solution; probably people should be required to have two passwords. For example, if I were to access my Gmail, I would be required to enter my username, a password, and another different password. Each password can be as simple as possible as long as:
Both passwords do not have less than six characters
Either of the passwords must be numerical (PINs are basically numerical)
The password made of numbers must not be a series such as 123456…,…654321, or have a number repeated more than twice.
A password can only be used by up to 1% of the Internet population (e.g. that password has been exhausted should be a common notification).