Safer Passwords but not More Privacy

Image representing Yubico as depicted in Crunc...

Image by None via CrunchBase

Google has developed a new device that might save us all from having to remember passwords. I know that passwords are one of my own personal bugaboos and it’s embarrassing to admit how many times I have returned to a website or service and been unable to use it since I could not remember my user name and password.

In 2014 Google is going to release a new privacy platform that would be the first big step to do away with passwords. The product will be called the YubiKey Neo and will be a USB dongle built by Yubico for Google. The technology involved is called U2F, or Universal Second Factor. This technology builds upon earlier work done in the development of smart cards.

The way the YubiKey will work is that when you are using Google Chrome or Gmail, you will log in once to the YubiKey with a user name and a PIN. Then, whenever the need for a password arises in those two applications, the YubiKey will verify who you are and you will no longer need to know passwords. It then is impossible for somebody else to pose as you on the Internet unless they have your username, PIN and physical possession of your YubiKey.

This would be a somewhat limited security platform if it only uses Google Chrome and Gmail. But Google wants this to be a universal security device and has joined a new coalition called FIDO (Fast Identy Online Alliance). This coalition includes other heavy hitters like Mastercard and Paypal. Google’s has published the U2F specification and says it is committed to an open source security solution. Google hopes this becomes the standard way to protect your identity.

This kind of technology could make online shopping even safer. And it certainly is a great way to make life easier for people like me who don’t really want to remember the passwords for a hundred different sites and services. But in the end, it really doesn’t help our privacy, just our security.

Let’s face it. We have all bought into the world where we give up our personal data for the ease or enjoyment of using free services like Facebook, LinkedIn or Gmail. It’s a well-known axiom in the industry that the product of all of these free sites are us, their users. These companies make money by using information they gather about you and everybody else on their site.

They mostly use the data today to feed advertisers, who are using that data to get more and more focused in bringing you ads for things you want to buy. But your data is starting to be used in many other new ways. Things you post on Facebook are now searchable on Bing and Google. There are social web connections being made where companies no longer just try to figure out what you lie, but they also want to know who you know. These large companies are constantly playing around with our data to see if they can find new ways to make money from your data or to make their product more valuable so they can gather even more data.

People just don’t realize, or mostly don’t care that everything they do and say on free web services is kept and analyzed and used by the web companies to profile them better and know even more about them. The only way to put the genie back in the bottle is to stop cold turkey using social web sites, and very few people want to do that. So I am certainly glad if the new Google product can do away with passwords, but I don’t take comfort that I am any safer on the web.