Google engineers are looking at ways to stop using passwords, which they believe are no longer enough to keep users safe. They are testing new tools that could replace passwords as the primary way of authenticating identity on the web.

Google is currently running a pilot that uses a YubiKey cryptographic card developed by Yubico — a startup operated out of Sweden and the US, which has produced a two-factor authentication fob that can emit encrypted one-time passwords to NFC-enabled smartphones.

Source & Copyright©2013 - Yubico

"Along with many in the industry, we feel passwords and simple bearer tokens such as cookies are no longer sufficient to keep users safe," Grosse, Google's VP of security and an engineer Mayank Upadhyay wrote in a research paper to be published in the IEEE Security and Privacy Magazine later this month paper, according to a Wired report. They do not imagine that passwords will completely disappear, but that they will have a less significant role in authenticating ID, playing second fiddle to smartphones or chip-embedded things as the primary authenticator.

ECB Guidelines against payment fraud
In what it is says is "an important set of guidelines against payment fraud" the European Central Bank (ECB) has unveiled plans to introduce harmonised, minimum security recommendations in Europe covering Internet payments and customer authentication.

The ECB proposals, which have a planned implementation date of 1 February 2015, would require payment service providers (PSPs) and payments governing bodies to protect the initiation of online payments and the transaction data that flows across these systems using " strong customer authentication " technologies and procedures.

The rules would mean PSPs and others would have to ensure customers were given all necessary assistance about how to ensure best-practice online security measures are followed, including the use of monitoring tools that can detect and prevent fraudulent attempts. Log-in attempts would be rationed, and the harmonised European-wide rules would mean that common time limits for appropriate authentication to be entered would be established. Of course, many such pattern-spotting software systems are already deployed but the rules will seek to introduce a common minimum standard.

---

The scale and types of fraud in on-line payments and systems is accelerating. The challenge for corporate treasury departments is how soon can they employ these technologies and guidelines to minimise their exposure to fraud. Is there anything they can do, rather than just wait for their banks and TMS provider to come up with solutions? A major fraud incident in the department could be career threatening.