Will NFC become a Password Killer
mobilesecurity.com [Mountain View, CA] Near Field Communication (NFC) may have made a slow start as the technology to revolutionise mobile commerce, but its potential doesn’t lie purely in contactless payments.
While the likes of Google Wallet and Apple Passbook seem to envision scenarios where users can pay for things by touching their device on a terminal, the security issues surrounding such usage have raised uncomfortable questions about data phishing and the cloning of payment tags. However, there are some scenarios where NFC could play a more positive role in mobile security. For example, it could be the key hardware component in delivering authentication instead of user-keyed passwords.
This seems to be the way that Google is driving things, at least. Having confirmed the Google Wallet Card in late 2012, Google seems to be considering ditching traditional passwords and using NFC technology as a replacement of sorts. Such a system would require both an NFC-enabled device, and a key fob capable of sending a one-time encrypted password to that device.
Two-factor security is the way many people with online bank accounts currently generate one-use codes as part of logging in or to confirm a transaction request. However, using NFC would require less interaction from the user. A device owner would need to simply touch their device with the key fob to send an encrypted password to it, which could then be used to tag a device as trusted or simply log into an email, online shopping or social networking account.
Google is already conducting initial tests with the help of a cryptographic product called YubiKey, developed by a start-up named YubiCo. A full explanation of those tests will be published in an upcoming issue of IEEE Security and Privacy magazine.
The write-up will be by Google VP of Security, Eric Grosse, and engineer Mayank Upadhyay. The pair aren't restricting themselves to thinking in terms of 'key fob to device' use, either. In fact, NFC-enabled mobile devices may even play a larger part in the process. "We'd like your smartphone or smartcard-embedded finger ring to authorise a new computer via a tap on the computer, even in situations in which your phone might be without cellular connectivity," the Google engineers told Wired.
So not only could encrypted keys authorise a mobile device, but a mobile device itself could be used as an authenticator for other devices. It's a fascinating development and an extension of what many previously considered NFC to be capable of.
The question is, will there be a future where such NFC-enabled systems dispatch with passwords altogether? The answer may be 'no', or at least 'not for some time', but Google seems to be betting that the need for other types of authentication will come soon if they're not already here. Grosse and Upadhyay write, “Others have tried similar approaches but achieved little success in the consumer world...Although we recognise that our initiative will likewise remain speculative until we’ve proven large scale acceptance, we’re eager to test it with other websites.”
Furthermore, the engineers have developed the technology as an independent protocol to enable device authentication – it’s not restricted to Google devices and depends upon no particular software. Combined with security and hardware support for YubiCo and its YubiKey devices, we might soon be changing the way we think about logging in, and being careful what exactly we touch with our phones.