Google unveils 5-year roadmap for strong authentication

Google unveils 5-year roadmap for strong authentication

Summary: Smartphones and smart apps are major factors in access control strategies that plan to ignore whining from end-users

(Image: ZDNet)

Google unveiled on Wednesday a five-year roadmap for stronger consumer authentication tagging smartphones, long-life tokens, and futurist schemes to harden access controls while striking an unapologetic tone toward users who resist the change.

The plan will ultimately change Google's login system by breaking today's pattern that has end-users signing in over and over. In its place, Google will install strong authentication on a device such as a smartphone when it is setup. 

A complex authentication code will replace the password and allow the device to identify itself, its user, participate in complex authentication flows, and recognize usage patterns that signal attacks.

"We will change sign-in to a once-per-device action and make it higher friction, not lower friction, for all users," said Eric Sachs, group product manager for identity at Google. "We don't mind making it painful for users to sign into their device if they only have to do it once."

Sachs, speaking at the IIW (Internet Identity Workshop) Conference in Mountain View, California, said that Google won't shy away from making transitions difficult on end-users in order to have better security in the long run.

"We now plan to rollout a change to our login system in which we will be much more aggressive," Google wrote in a document outlining the roadmap (with accompanying slide deck).

Sachs said that Google will require all end-users to have two-factor authentication enabled. Today, Google and other websites offer it as an option.

Sachs said that Google will put research and development into specific areas, with the goal of altering today's authentication and authorization patterns. Those areas include authentication at setup, moving beyond the use of so-called bearer tokens that give access to whomever presents them, tapping into smarter hardware, and devising new methods for bootstrapping, device unlocking, and confirmations for "risky actions".

He did not say what Google was budgeting in terms of investment to develop the strategy.

In 2008, Google made a similar five-year authentication plan. The biggest areas of gain were risk-based login challenges, strict two-factor challenges, OpenID style login, and use of the OAuth authentication/authorization protocol so apps outside the browser did not have to ask for passwords.

Google and other vendors have made progress in these areas, and work continues.

Since 2008, Sachs said Google learned that account recovery was its Achilles' heel, that it was hard to get vendors to adopt OAuth, that OpenID migration was taxing, and most important, that "bad guys had evolved to more sophisticated attacks".

Sachs said the ugly truth is that there is a consistent identity for mobile applications, but not for browsers and websites.

Google said that the new five-year plan corrects one particular course it mis-judged in 2008.

"Five years ago, this level of smartphone adoption was not predicted," said Sachs. "We did not see that coming."

As a major part of the new plan, Sachs said that Google will weave smartphones and smart apps through a series of new authentication methods and back-end infrastructure changes.

He said Google likes the mobile model where applications are available once the user accesses the device.

"We plan to take our learnings from Android OS and apply it to Chrome, as well as taking lessons from how identity works for Android apps and apply it to web apps," according to the document outlining Google's plans.

Sachs said the ugly truth is that there is a consistent identity for mobile applications, but not for browsers and websites. "We need more plumbing, " he said.

He used an example of a "God-level OAuth token" that a smartphone could have at the operating system level to be used for authentication actions in the browser. "There is a lot of work to do here," he said.

Google will use smartphones and smart apps installed on devices to support one-time passcodes (OTP), portable OTPs, and new fangled schemes that can challenge users, such as presenting a map so users can verify the location they are logging in from.

Today, there are smart apps that generate OTPs even when a mobile phone does not have connectivity. Ultimately, Google hopes to require logins be performed where the proof of the second factor is much harder, if not impossible, to phish than OTPs.

Google also plans to develop methods that will accommodate users who don't have their phone. One example is where the user can access online a list of their devices that are connected to an account, and answer challenges there.

These sorts of schemes get around one problem with two-factor authentication (2FA), where one user on a shared account can't sign-in because they don't have the device receiving the verification code.

Google's plan relies heavily on smarter hardware, and will tap that hardware to try and make unauthorized access via social engineering, such as phishing, more difficult.

Sachs used the example of a web-based online banking application prompting the user to open up a smartphone version of the same app to click a confirmation button for a transaction, and to validate the authenticity of the web-based site.

Google will explore using technologies such as biometrics and Near Field Communication that lets users identify themselves, and allow one device to verify a new account on a second device. The bootstrapping of the device could go from Android to Chrome or Android to Android devices.

"We would prefer for a user to authorize a new device by having an existing device talk to it via a cryptographic protocol that cannot be phished," Google said in its strategy document.

Sachs said support of non-Google devices is being worked on via Google's participation in the Fast Identity Online (FIDO) Alliance, where it has teamed with hardware security token vendor Yubico on developing a new strong authentication protocol called Universal Second Factor (U2F).

Google said that in the future, it will request this method be used when consumers add an account to a new device. Google joined FIDO in late April.

Google will also explore how users unlock a device connected to their accounts, and how a user "confirms" they are indeed the ones performing "risky actions" on devices connected to their accounts.

Google will also work on back-end infrastructure, specifically public/private key pairs and server cookies stamped with a public key as defined in the IETF's ChannelID draft proposal.

Google does similar things today with its Chrome platform.

"In the future, it is our goal to allow early adopters to require the use of tokens 'tied' to public/private keypairs for any access to your account (from both apps and browsers)," Google wrote in its strategy document.

The ChannelID proposal focuses on how to protect the cookie on the device that proves the user previously signed in and reduces the risk associated with leaked reusable bearer tokens.

Also, Google plans to use more trusted platform modules (TPMs) and OAuth tokens on devices, and in the future, deprecate bearer tokens, which basically gives access to the presenter without challenge.

Topics: Security, Networking, BYOD and the Consumerization of IT


John Fontana is a journalist focusing on authentication, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he also blogs about industry issues and standards work, including the FIDO Alliance.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Good for "bad guys"

    Once they hack through the system they are golden for a year.
    • if they could hack it

      Goodluck with that.
      • They always do...

        Just watch and learn.
  • So let me see...

    Google wants to, in five years, lock down the Internet tighter than the chastity belt on a virgin at a KISS concert. And guess who holds all the keys...Hmmm.

    And you all were getting your knickers in a knot over Secure Boot.
    • Unclutch your pearls.....

      ...take a deep breath and listen to reason. Google isn't locking down "the whole internet," just the parts of it they own. Don't have a Google account? You're not affected one wit by this policy. Comparing Google's authentication policies to Secure Boot is an apples-to-bowling balls comparison. While I may USE Google's services, they own those services. Look at their TOS. My computer, on the other hand, is owned by ME, so Secure Boot is putting a restriction on my property by a third party. See the difference?
      • Problem with Secure Boot with Linux users.

        Secure Boot was promulgated by Microsoft for only Microsofts' needs. Linux does not require it.

        A nephew of mine wanted a dual boot setup with his new Win7 notebook, which also now uses secure boot. The problem is I can install Linux and disable secure boot, but do I want to leave it disabled for Win7? No, not really.

        I had a dual boot Acer netbook with Win7 that was infected with the Auleron.DX botnet by just trying to run critical updates. This proved to me that anyone can be vulnerable to botnet rootkit attacks using even 64-bit Win7 with advanced driver signing. What are you going to do when just running updates (after AV is installed and running) gets you infected? Win7 was removed and now the premium Acer One Aspire only runs Mint 14 Cinnamon. (Acer 721-3070, with HDMI).

        Secure Boot doesn't prevent Windows problems, it's core purpose is to prevent competition from installing on hardware as you described.
        • UEFI Board of Directors

          UEFI Board of Directors most defiantly created this standard for Microsoft. After all Microsoft has all these companies in their pockets:
          AMD, American Megatrends, Apple, Dell, HP, IBM, Insyde, Intel, Lenovo, Phoenix Technologies.
          Koopa Troopa
        • Then it's doing a crappy job

          Since turning off Secure Boot is easy.
          Michael Alan Goff
    • better than MS.

      I trust Google one hell of a lot more.

      MS has way too many security failures, illegal activity, snooping,...

      But then, I don't have a smartphone either. (no benefit unless traveling, and I don't do that anymore).
      • They are all insecure

        MS has and always will vulnerability issues. So does every single other software maker. MS is still the biggest and that is why they are targeted the most. Wow... did not know I could time travel on this site... first time I saw that argument about MS was around 1993.
        • Security was never really about popularity

          It was always much more about robustness and design. Macs now dominate in school environments, traditionally hot beds of infected computers and notebooks when Windows dominated, but now....not really. You argument was just as dopey in 1993 as it is now.
          • Exactly

            Mac didn't have any huge security vulnerabilities infecting over half a million computers in the past year or anything...
            Koopa Troopa
          • The real strength of Apple

            ... is that they manage to make People like you believe such stories.
            Markus Müller
      • Google and the protecting Windows Gmail users.The

        Using Gmail helps Microsoft users tremendously.

        Several years ago, a story broke one morning about how bitmap image files could have values modified that were not visible to the naked eye, but created a security threat for Windows. An article contained a sample bitmap image that when accessed, would just open the Windows calculator, proving the vulnerability. The morning the story broke, I tried to send the file to a colleague using my Gmail. The Gmail was already configured to prevent the sample from being sent and provided a large red banner across the top of my Gmail informing me the file was infected.

        My point is, Google's actions were cloud based and immediate. No other AV product that was running or anything MS Outlook was providing could react that quickly. Gmail is your best protection against receiving and transmitting Windows malware. BTW, Google does not allow sending or receiving .exe files, so if I want to send .exe files, I have to use my other high capacity email, which doesn't offer AV protection or restrict .exe files.
        • Or Rename your exe?

          Can't you just rename exe or does it actually look at the binaries?
      • Dumb prepaid phone good for travel

        I travel occasionally, but a dumb $20 prepaid phone is good enough for that. I don't give Google or anybody else on the Internet any information I would not broadcast to the world.
  • Ugh!! More hubris from our *providers*...

    Who is the customer here, anymore? The first rule of business: the customer is KING. Forcing users to use these schemes, vs. leaving them as an option, is NOT legit!

    I've been locked out more than once from my yahoo mail account because "this is not the device you've logged in on in the past". No kidding!...I got a new laptop. There was no easy way to recover -- I had to message yahoo customer service and wait 24 hours for a reset (an eternity in internet time, and potentially *very* disruptive had that been a business email account!).
    • Welcome to Economic Facism

      Google will get away with what it wants as long as it keeps doing whatever it can to help any nation's government in any covert way it can. You can blame Google.. or you can place the blame on the real culprits- your fellow countrymen who go out of their way to not be informed.
      • Oh like MS skype backdoor

        to allow FBI and CIA to tap calls?
    • I guess they are pushed up against a wall. Maybe it's not their fault.

      Yahoo has to function in order to generate revenue. If logon credentials are constantly compromised and infections get out of hand, too many people will be taken out of service for them to continue to justify selling advertising.

      Yahoo has a lot of problems. Over the years, I've received spam emails (from Yahoo patrons) from legitimate people I have corresponded with in the past. These people with Yahoo email accounts have had their passwords hacked on several separate occasions (on Yahoo's servers) and the spammers have gained access to their contact lists. I immediately send them an email informing them of the problem with an image of the spam email sent from their account, recommending they immediately change their Yahoo email password.

      Some people have had this happen multiple times over the years.

      Yahoo's probably going nuts trying to keep their email intact. Failures like that could cause customers to become frustrated easily and maybe try Gmail, the worlds' largest email provider (420 million users).