Cookies are small text files issued by websites to web browser software to keep visitors logged in once they have entered their password.
“We’d like your smartphone or smartcard-embedded finger ring to authorize a new computer via a tap on the computer, even in situations in which your phone might be without cellular connectivity,” the Googlers wrote.
Grosse and Upadhyay said they are currently experimenting with YubiKey, a tiny USB stick that implements highly secure “one time pad” cryptography to log in to Google services, as a replacement for passwords. In the future, they want similar authentication technology to work wirelessly and across all of a person’s online accounts.
“We’ll have to have some form of screen unlock, maybe passwords but maybe something else,” Grosse said, Wired reports. “But the primary authenticator will be a token like this or some equivalent piece of hardware.”
Security experts have pointed to the problems with passwords for years, and suggested alternatives, but none have been widely adopted because they would require web services to adopt standards.
Grosse and Upadhyay’s paper is attracting attention because coming from the world’s biggest web company, it may stand a better chance of success.
“Others have tried similar approaches but achieved little success in the consumer world,” Grosse and Upadhyay wrote.
“Although we recognize that our initiative will likewise remain speculative until we’ve proven large scale acceptance, we’re eager to test it with other websites.”
Given the rivalries online and the low cost and ubiquity of passwords, progress remains a tall order, however. Bill Gates predicted the death of passwords at a security conference in 2004.