Google is planning a two-factor authentication token, the firm’s principal engineer, Mayank Upadhyay, has confirmed.
The security industry has long recognised that passwords are becoming increasingly insecure and difficult to use as they become more complex and difficult to remember.
“Authentication is a key part of security, and with technology shifts we have an opportunity to redefine it so that it is easy to use and is more secure,” Upadhyay told the ISSE 2013 security conference in Brussels.
Google plans to introduce a single USB token that can be used to authenticate to multiple online services.
Users will register the token’s public key, and then registering with each new service will create a unique pairing with the token’s private key without ever exposing the private key.
“This eliminates the need for one-time passcode (OTP) mechanisms, the need to store secrets in the datacentre, and the possibility of man-in-the-middle [MITM) attacks,” said Upadhyay.
Until now, second factor authentication has relied on OTPs by text message, but this approach has several challenges, such as when users lose their mobile phone.
“Hackers have also adapted to the use of OTPs by creating ways of stealing user credentials as well as OTPs,” said Upadhyay.
Giving users control of online accounts
Google is optimistic about user adoption of the proposed token because it will give users a sense of being in control over who has access to their online account, he said.
The company also expects adoption to be supported by the fact that the token does not require any middleware, it can be used for multiple services, and website integration is simple and easy.
“In this way, website users remain in complete control of the user interface,” said Upadhyay.
Google is testing the proposed token internally for allowing staff to access corporate data and is working with the Fido alliance on new industry standards on authentication.
The token is also being tested with a small group of partners ahead of the public roll-out, which Upadhyay said was likely to be some time in 2014.
Secure password alternatives
Longer term, Google sees the token as the opportunity to reduce passwords to a single personal identification number that can be used with the token for multiple accounts.
“A single PIN is typically used for multiple bank cards nowadays, which is a model that could be extended to online services using the proposed token,” said Upadhyay.
As trusted platform modules (TPMs) with cryptoprocessors become available in all devices, tokens could be built into devices such as smartphones using the secure area of the built-in TPM.
Google decided not to use TPMs for the initial implementation of its universal authenticator because many legacy devices are not equipped with the TPM chips.
“We believe USB will provide the best connectivity across the types of devices in use around the world at the moment,” said Upadhyay.
The first tokens will have near field communication (NFC) capability, which will enable them to be used with the new smartphones that are using this technology.
Strengthening cloud authentication
Through this project, Google hopes to introduce “non-stealable” credentials, which the firm considers a key component in making security easier for users.
Other key components are malware-resistant platforms, secure communication channels, and out-of-band notifications relating to sensitive transactions.
“The whole IT industry needs to work together to establish standards for strong device to cloud authentication – we must seize the opportunity to make it happen,” said Upadhyay.
Previous attempts at introducing password alternatives have failed because of the need for all web services to adopt the same standard, but pundits say Google may be big enough to make it happen.
Leave a Reply