If you can't remember all your passwords, take heart: hardware tokens that can't be cloned will soon offer secure access to your digital life

Unlocking a safer digital future (Image: K-Photos/Alamy)

WE ARE hopeless at computer security: “password” and “123456” are still the most common passwords, despite being trivial for anyone to guess. Many of us use the same login for many accounts because remembering multiple complex passwords is a pain.

What if you could simply use a real object to log in? So-called physical key authentication is already used by staff at Facebook, and Google is planning to roll it out to its users in 2014. Some of these keys or “tokens” will rely on their physical structure to make them unclonable, and could be used not just for computer logins but also to verify the authenticity of products that are prone to counterfeiting, such as wine.

Google, along with many other providers of email or online shopping services, is already trying to strengthen password security using an approach called two-factor authentication. If someone logs into their Gmail account from an unfamiliar computer, Google will ask them to type in an additional piece of information. This could be a code sent via SMS to their cellphone or one generated periodically by the Google Authenticator app.


Physical tokens will soon be part of this process. Google is now trialling YubiKey, a small cryptographic card that plugs in to a USB port and mimics a keyboard entering a single-use password into the authentication field. At Facebook, all employees are already using such cards for two-factor authentication.

John “Four” Flynn, one of Facebook’s security engineers, says the system provides the smoothest login experience he is aware of. “We’re keeping an eye on emerging authentication technology. Hardware authentication is one of those,” he says.

But YubiKeys can, in principle, be cloned, even though it is difficult to do so. Not so with keys from a California-based start-up called Verayo, which will launch its first consumer devices next April.

Verayo’s authentication key, called the Opal, is based on research published over a decade ago by Srini Devadas of the Massachusetts Institute of Technology. Devadas suggested that the distinctive physical properties of an object – for example, slightly varying wire thickness in a microchip or small variations in crystal structure – would uniquely alter an electromagnetic signal passing through it. That provides the basis for an unclonable key.

The distinctive physical properties of an individual object could form the basis of an unclonable key

Each Opal token is the size and shape of a bar of hotel soap, and contains a microchip with tiny imperfections that arise during manufacturing and are unique to itself. The device’s battery, activated by shaking, lasts for two years. You shake the device again to have it pair with a nearby computer or tablet via Bluetooth. “As long as your device is within three feet of Opal, you are good to go,” says Tony Le Verger, Verayo’s director of strategy. “You don’t even know that two-factor authentication is going on in the background.” The computer or tablet reads the Bluetooth signal bouncing off the Opal and, if it matches a predetermined pattern, accepts you as a trusted user.

As well as promising to run more smoothly than YubiKeys, the Opal has a higher level of security, according to Verayo. “There is no secret key to attack or extract from the token,” says David M’raïhi, the company’s chief technology officer.

A variation on this approach is being developed by Roarke Horstmeyer and colleagues at the California Institute of Technology in Pasadena. Their system uses light scattered through liquid crystals, which has the advantage of offering much more scope for randomness than a silicon chip. A device the size of a USB key, for example, requires gigabytes of data to characterise its properties. That data can then be used as a one-time pad – a reference “text” for encoding information up to the size of the pad itself. The system is therefore very hard to crack, but also hard to implement due to the impracticality of storing and exchanging huge keys (arxiv.org/abs/1305.3886).

Tying your digital life to a physical object can seem counter-intuitive, though. What happens if you lose your key or someone steals it? As with house keys, a digital version of changing the locks is in order. “If you lose it, we kill it through our servers in an instant,” says Le Verger. “No one can use it. It’s dead.”

Even before its launch, Verayo’s technology is already finding an interesting use: tackling the problem of counterfeit wine in China, where the growing taste for fine wine is leading to cheap substitutes being sold in knock-off bottles. “We are working with a Japanese company now to embed our technology into the cork of the bottle, to allow the buyer to check authenticity with their smartphone,” says Le Verger. “We’ve delivered more than 15 million chips this year.”

Le Verger says the counterfeit problem in China is an enticing one for Verayo to solve, as their unique chips are affordable to mass-produce and easy for consumers to use. “It’s security you can do at the end of the chain.”

Other products, too, may need to have their origin confirmed because of a dubious supply chain. “I was talking about white wine, but baby food in Asia can have dangerous components too,” Le Verger says.

When me and my dad were hacked My father and I both had our passwords stolen in the recent security breach at Adobe that saw hackers make off with tens of millions of account details. According to online security site Lastpass, my father’s password was common enough that 97 other people in the breach had the same one. Major security breaches are one of the main ways for hackers to gain access to other people’s accounts. If your email address shows up on sites like haveibeenpwned.com, then it’s a good idea to reset your passwords. Good password “hygiene” is vital: don’t reuse passwords on different sites, especially for services like banking, and ensure your passwords are long and unguessable.

This article appeared in print under the headline “Death of the password”