2013-01-18

Thoughts on Google, YubiCo, and "The War on Passwords"


There are a lot of articles going around the blogosphere today about Google "Declaring War on the Password", and showing picturers of a YubiKey.

While I am a fan and proponent of improved trustworthyness of authentication, especially with using 2 factor protocols like HOTP and TOTP and devices like the YubiKey, I am curious as to what all the hubub is about today.

What keeps Google Authenticator and YubiKey from easily working together right now is the fact that Google uses TOTP and YubiKey implements HOTP.  They are almost the same protocol, with one important difference.  TOTP is time based.  That's what the T stands for.  Every fixed internal (usually 30 seconds) a TOTP token generates a new password, which means that token needs to know what time it is, which means it needs a clock.  While a HOTP device like a YubiKey just needs to keep a counter, and generates a new password every time it's button is pressed.

So the Google and Yubi partnership means one of three things.

  1. Google is going to support HOTP on the Google Two Factor Login service, or
  2. Google and YubiCo have figured how to to put an extremely low power clock and extremely small battery into a new version of the YubiKey, or
  3. Google and YubiCo have written a USB device driver that speaks to the YubiKey when it's plugged in and tells it what time it is to generate the correct password (which means that driver needs to be installed on every Windows/Linux/MacOS/ChromeOS device you want to use the token on)
I look forward to seeing which one it is.  My money is on option #3, with the added guess that it will probably only be supported, at least initially, only on machines running Chrome or ChromeOS.

3 comments:

  1. I'll bee you're right, there...the Google Authenticator app actually supports HOTP already, but I've never seen it used in practice and would be mildly surprised to see Google enable that option on their two-factor auth.

    ReplyDelete
  2. I have Google Authenticator hooked up with my 2 factor login to Launchpad/Ubuntu, and it uses HOTP instead of TOTP. It was interesting to see the differences in UI.

    ReplyDelete
  3. I hadn't really looked in to the Yubikey much before now, but see that they have support for TOTP on Windows using a helper app:

    http://www.yubico.com/applications/internet-services/gmail/

    Presumably something similar could be written for other platforms.

    Still requires having something installed on the host, but at least it's not a driver.

    ReplyDelete