Five years ago, Google’s login team published a roadmap for stronger consumer authentication. It’s now released a report on that roadmap and an updated version of what’s in store for the team.
Eric Sachs, Google’s group product manager for identity, talked about the progress and challenges the team has had during this time. Google has managed to improve security through analyzing more signals at login to create risk-based login challenges. It’s added an opt-in, two-factor login verification process. It has an OpenID style login, which other web sites are starting to offer, and it’s implemented OAuth in native apps.
Unfortunately, while OpenID is a complex strong authentication tool, it’s also complicated to implement, an effort which Google plans to keep working on. Google has also discovered over the last five years that account recovery is a difficult and expensive problem, particularly as hackers and identity thieves become more sophisticated.
Sachs writes that Google’s five-year roadmap has done a good job of laying the groundwork so that the team can continue making improvements to its authentication system. Adoption of mobile phones has also helped spur this continued effort.
The team also plans to make an aggressive change to its login system. Users will either have to opt-in to Google’s two-factor login capability, or they will have to pass a two-factor challenge on most of their login attempts.
Google will help to drive the ChannelID open standard to tie down bearer tokens and cookies to the device the user signs in with, in an effort to make them less risky and susceptible to attack. While ChannelID is already available on Chrome, and Google is testing it for Google Account login tokens and cookies.
Smarter hardware is also driving some of Google’s experiments. Now that Android and iOS apps can generate OTP codes, Google wants to see if a phone app can give notifications about risky behavior on an account and demand approval before allowing that behavior to occur. To help with this, Google is working with the FIDO Alliance on Universal Second Factor (U2F), an open system of “keychain devices” that website owners can leverage.
Sachs writes that over the next five years Google also intends to explore ways to unlock a device and confirm risky action, including using biometrics to do so. It is also looking at combining authentication methods in portable tokens, that could include biometrics or NFC capability.