Google's continuing odyssey to sink passwords

Google isn't just beginning to attack the password, in fact, it has been working since before 2010 on eliminating passwords and standardizing authentication on the Web.
Written by John Fontana, Contributor

Google did not declare war on passwords this week, in fact, the company has been publicly attacking passwords and asking Web site operators to get out of the password business for at least the past three years.

A research paper by Google's Eric Grosse, vice president of security, and Mayank Upadhyay, a Google engineer, slated for release by the end of the month, isn't a starting point, it's well into Google's on-going R&D around getting rid of passwords, or at least minimizing their use.

The research, a finger-ring used for authentication, a hardware authentication device built by Yubico, and a protocol to link those things to Web sites, is the latest "experiment" in a line of experiments Google is working on to create a stronger master key/password, enable federation, and eliminate a user's bloated cache of weak and re-used passwords.

Some of Google's experiments have been made public and others have not. At least that is what I hear Googlers say when they speak at conferences such as the Internet Identity Workshop. It's not a secret.

The uplifting aspect of Google’s work is that the company has committed to giving up all the intellectual property to its creations to help foster adoption. This may sound altruistic, but let's be clear, Google knows its business model lies somewhere else.

But for now, it is doing things right in sticking to a plan of relinquishing ownership of technology it develops, a wise move considering the uproar around the proprietary hooks that doomed Microsoft Passport.

In fact, the research by Grosse and Upadhyay mentions a protocol they have developed for device-based authentication, and I hear that the IP will end up in a standards body, potentially the Internet Engineering Task Force.

As the protocol's details emerge, we'll know more about how worthy it might be.

Such an IP donation by Google is not without precedence. In 2011, Google turned its Account Chooser, a standard log-in UI specification over to the OpenID Foundation, along with a verification scheme called Street Identity, which is now part of a pilot project being developed within the National Strategy for Trusted Identities in Cyberspace (NSTIC) program.

In addition, Google Authenticator, a second factor authentication technology for mobile devices, was developed as an open source project and incorporates the Initiative for Open Authentication (OATH, which is different than OAuth) and HMAC-Based One-Time Password (HOTP) technology.

Turns out, both those technologies are supported in the Yubico authentication technology mentioned in the research done by Grosse and Upadhyay. (Read Yubico's blog for its take on the project).

Do you see a pattern here? Incorporating existing technologies, building UIs, developing authentication protocols, devising verification methods; what's next?

What hasn't changed, however, is the Achilles Heel that affects Google and other consumer identity federation schemes - the relying party role.

These are the Web sites that leave it up to companies like Google, Yahoo, Microsoft, Facebook and others to issue identities. The relying party is the one that accepts those credentials for authentication and must check with the issuer (known as the IdP) to confirm they are valid.

The relying party problem is akin to not having any merchants (relying parties) that will accept your credit card.

Google understands this gap must be closed for any of this other research to matter. In 2011, they released the Google Identity Toolkit, designed to make it easy for Websites to get up and running as a relying party and get out of the password business. The toolkit came after Google itself became a relying party for Yahoo! in
Sept. 2010 in order to show the industry how the relying party role is done.

Grosse and Upadhyay mention that gaining acceptance from relying parties of their device-centric log-in technique, which is rooted in the protocol they have developed, is their key to success, especially with consumers.

It will be interesting if their device-centric authentication can get more potential relying parties to the commitment table. A development that will spur acceptance faster than any ring or hardware token, both of which are merely spins on existing or defunct authentication patterns.

Editorial standards