Google's continuing odyssey to sink passwords

Google's continuing odyssey to sink passwords

Summary: Google isn't just beginning to attack the password, in fact, it has been working since before 2010 on eliminating passwords and standardizing authentication on the Web.


Google did not declare war on passwords this week, in fact, the company has been publicly attacking passwords and asking Web site operators to get out of the password business for at least the past three years.

A research paper by Google's Eric Grosse, vice president of security, and Mayank Upadhyay, a Google engineer, slated for release by the end of the month, isn't a starting point, it's well into Google's on-going R&D around getting rid of passwords, or at least minimizing their use.

The research, a finger-ring used for authentication, a hardware authentication device built by Yubico, and a protocol to link those things to Web sites, is the latest "experiment" in a line of experiments Google is working on to create a stronger master key/password, enable federation, and eliminate a user's bloated cache of weak and re-used passwords.

Some of Google's experiments have been made public and others have not. At least that is what I hear Googlers say when they speak at conferences such as the Internet Identity Workshop. It's not a secret.

The uplifting aspect of Google’s work is that the company has committed to giving up all the intellectual property to its creations to help foster adoption. This may sound altruistic, but let's be clear, Google knows its business model lies somewhere else.

But for now, it is doing things right in sticking to a plan of relinquishing ownership of technology it develops, a wise move considering the uproar around the proprietary hooks that doomed Microsoft Passport.

In fact, the research by Grosse and Upadhyay mentions a protocol they have developed for device-based authentication, and I hear that the IP will end up in a standards body, potentially the Internet Engineering Task Force.

As the protocol's details emerge, we'll know more about how worthy it might be.

Such an IP donation by Google is not without precedence. In 2011, Google turned its Account Chooser, a standard log-in UI specification over to the OpenID Foundation, along with a verification scheme called Street Identity, which is now part of a pilot project being developed within the National Strategy for Trusted Identities in Cyberspace (NSTIC) program.

In addition, Google Authenticator, a second factor authentication technology for mobile devices, was developed as an open source project and incorporates the Initiative for Open Authentication (OATH, which is different than OAuth) and HMAC-Based One-Time Password (HOTP) technology.

Turns out, both those technologies are supported in the Yubico authentication technology mentioned in the research done by Grosse and Upadhyay. (Read Yubico's blog for its take on the project).

Do you see a pattern here? Incorporating existing technologies, building UIs, developing authentication protocols, devising verification methods; what's next?

What hasn't changed, however, is the Achilles Heel that affects Google and other consumer identity federation schemes - the relying party role.

These are the Web sites that leave it up to companies like Google, Yahoo, Microsoft, Facebook and others to issue identities. The relying party is the one that accepts those credentials for authentication and must check with the issuer (known as the IdP) to confirm they are valid.

The relying party problem is akin to not having any merchants (relying parties) that will accept your credit card.

Google understands this gap must be closed for any of this other research to matter. In 2011, they released the Google Identity Toolkit, designed to make it easy for Websites to get up and running as a relying party and get out of the password business. The toolkit came after Google itself became a relying party for Yahoo! in
Sept. 2010 in order to show the industry how the relying party role is done.

Grosse and Upadhyay mention that gaining acceptance from relying parties of their device-centric log-in technique, which is rooted in the protocol they have developed, is their key to success, especially with consumers.

It will be interesting if their device-centric authentication can get more potential relying parties to the commitment table. A development that will spur acceptance faster than any ring or hardware token, both of which are merely spins on existing or defunct authentication patterns.

Topics: Web development, Networking, Security


John Fontana is a journalist focusing on authentication, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he also blogs about industry issues and standards work, including the FIDO Alliance.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • If people have

    If people have to carry something (anything) with them then its a dead end. Just not going to happen.
    • Consider what you already carry

      I carry a wallet everywhere. A phone. My eyeglasses. A keyring. Used to wear a watch until I got my cell phone. Many people wear some of the same jewelry every day.

      Why would asking someone to add an innocuous piece of hardware would be so unbearable? Especially if it's convenient to carry and use. A ring makes sense. After a couple days it'll disappear into the background except when used. I imagine if the websites people use frequently adopt this kind of technology & enforce its use, people will model their behavior accordingly.
      • Ring wearing against health and safety rules

        Anywhere where there is rotating machinery rings are banned. If it gets caught say goodbye to your finger. Additional many people can't wear any form of jewellery for various reasons. I already have too much junk in my pockets. If it gets lost or stolen how long before a replacement?
    • I was going to ask... mean, like, a cell phone? But thookerov beat me to it with a host of additional examples demonstrating that "carrying something" is not that big a deal, especially if it's in a convenient form factor, like a ring....which brings up another consideration I'll chip in under its own comment.
      Non-techie Talk
  • Imagine that you have one single key..

    From their website:

    "Imagine that you have one single key and one single password to securely access all your Internet life. "

    Now imagine someone steels that key...
    Tomas M.
    • Ya but..

      How is that any different than someone steeling your credit card or wallet. You just make a call to the proper institution and let them handle most of the cleanup for you. In this case I am sure they could track all the logins since this master key was stolen. There is always a possibility of have something stolen.
      • Cost

        What about the many thousands of people who use the internet where the cost of such a device would be equivalent to several weeks if not several months pay. I live in a country where I am fortunate enough to not have to pay for my debit card, other countries every additional thing is charged for. I would rather see a device which when you want to login the site sends a number. You enter this into the device then your pin number. This generates a new number which you send back to the site.
        • You have lots of ifs there, none are valid though

          What if you in a country where they can't afford computers that can surf the internet?

          There are always a lot of ifs, but you have to start and this doesn't have to remove ordinary user/passwords. It just more concurrent and secure than to have lots of user/passwords pairs or even worse, one user/password for all your accounts which can be stolen from the site. It happens a lot. With this it will not be any big problem, as most sites will not store your password, just who to ask that can tell if you are who you claim you are.
    • Steels or Steals?

      I suppose you meant 'Steal' and not 'Steel'
    • It's harder to steal a key

      It is harder to steal a physical key, and more obvious that it has been stolen, than it is to steal a password. Still, if there is enough worth tied to it, people will try. How about a chip implanted somewhere on your body?

      Let's face it, more sophisticated locks lead to more sophisticated robbers. That doesn't mean that we should just give up.

  • Apple might be the first to "kill" passwords

    Apple has bought company that developed unique software-hardware methods to scan/analyse fingerprints WITH under-skin landscape.

    This is revolutionary (yes, this is rare case when such word is appropriate) progress in safety, because all the previous fingerprint methods could be fooled easily enough.

    In this method, it is completely useless to just take fingerprints from a glass you left in a bar or any other method. (Even if bandits will chop off you finger, it will not be recognized as legible by this system because "dead finger" has its under-skin features changing quickly.)

    Apple might release iPhones/iPods/iPads (Home button is going to be reader), as well as MagicMouse/TrackPads or however they are called with such technology, and connect this functionality with iCloud/iTunes account, and make it free to be usable for authorization in other systems (similarly how now you can log on in many places via Twitter account, for example).
    • Re: unique software-hardware methods to scan/analyse fingerprints WITH unde

      Biometrics ... ho-hum.
    • All you need are the one's and zeros from the digitizer.

      Once you have that you can send that to the software without a finger print scanner. If it's electronic then it can be hacked electronically.
      • And how you are going to get those "ones and zeros"?

        Only your actual living finger will be able to produce the sequence of ones and zeros that could be analysed to resemble your fingerprint with underneath, in-body structure. It will take forever to crack this.
  • biometrics

    Not sure if that's the right word, but I can easily see the recommendation being that some kind of chip is implanted under the skin which has all one's information and can be updated as info changes...of course, this would also allow satellite surveillance tracking down to individual granularity and threaten every notion of privacy we think we have...
    Non-techie Talk
    • biometric surveillance

      No, it won't. But you can still be tracked, but not by satellites. But if you have a surveillance camera in each corner, what is the difference...
  • Hobbit (- ting) ring...

    And then, one ring to rule them all...
    Roland Kar-tet
  • One thing is consistent in these comments section...

    The Naysayers!

    Thank you Google for taking this on. It may not be perfect AND it is a necessary step in the right direction. I would suggest that if we focused on getting Google, Amazon, Apple and Facebook to set aside the need to control this gateway and adopt a standard, it could put a large dent in online criminal activities.

    So instead of saying it ain't gonna happen, how about sharing ways to make it happen.
  • various fixes with various methods

    I work in a manufacturing facility that is serious about security. Everyone is required to have a coded card that is placed in proximity of a scanner/detector. I carry mine in my wallet. I put my wallet (containing the card) next to the scanner and the doors unlock.
    That's one possibility... a magnetic card coupled with an inexpensive reader connected to the USB port of a device (works for laptops/PCs). The same info could be encoded into a magnetic-retaining watch or ring or bracelet.
    Another easy for me is using a USB drive (I call mine, "dUSB", pronounced 'does-B') with LassPass on it.
    Recently I read about using pass-phrase in lieu of a password. Pass-phrase is an easily remembered, but hard to guess string of words the user/owner can REMEMBER. For instance, for ZDNet, the pass-phrase could be "myZDNet_LI_infofor2013isNOTcrackable". (The "LI" is for 'Log In'). Or "THISyear2013IwillUSEthisMETHOD", or something like, "IamOVER55yearsOLD&wantTOretire". Obviously the LassPass method is easier to use in the long run, but setting it up takes a little time. Time well spent to thwart password stealing.
  • Google's continuing odyssey to sink passwords

    nothing is new here, secure computing was doing it for more than 10 years. but with google giving it another shot in the arm, will give it more cachet and exposure to consumers. hope that they will reach more audience and help mitigate the problems that dogged internet computing since day one ...