Google’s five-year plan for authentication: It’s complicated

Google has released a draft of its next five-year plan for login authentication that tries to stay at least on par with criminal hackers, but recognizes that strong security requires industry collaboration.

The draft, which was released Wednesday for security pros, explores where Google might head following its first five-year plan issued in 2008. The company declined to comment further on Thursday.

Over the last five years, the security landscape has changed dramatically with the broad adoption of smartphones, the rise in hijackings of website accounts and the evolution in hacking techniques and tools that require innovation in defenses.

This year, Google rolled out a two-step login process to attach a specific device to an accountholder. The company is now considering becoming much more aggressive with the mechanism, which is currently optional.

Users who skip two-factor authentication attached to a mobile phone may have to pass a challenge along with inputting the password on nearly all sign-ins.

Google also favors shifting as much of the authentication chores as possible on the device and its operating system. Once people sign at the OS level on an Android phone, Google would like to have those credentials work across all the apps on the device and websites accessed from the browser.

Currently, two-factor authentication usually involves a site sending to a person’s mobile phone a text message with a number that they input to access services on that device. Google would like to switch to having an approved smartphone authorize another device through near-field communications over a cryptographic protocol that cannot be phished.

Google is a supporter of OpenID, an open standard that makes it possible for a cloud-based identity provider to store credentials, making them available to any website or any app on a mobile phone.  However, that technology remains too complicated.

[Also see: Google looks to kill passwords, but experts say not so fast]

“While many sites want to add support for identity providers, there are still very hard usability problems and account linking issues,” Google said in the draft. “We still believe that is the approach that the vast majority of websites should take, so Google will continue to support efforts to simplify those issues and define best practices.”

Google also wants to implement the ChannelID open standard that locks cookies to the device that receives them. Websites will send a cookie after a visitor logs in to maintain that session. However, there are various techniques a hacker can use to steal that cookie in order to impersonate the accountholder. ChannelID solves the problem by not allowing any other device to use the same session cookie.

Security experts agree that Google’s plans to improve security in its environment are solid and follow best practices. “They’re stepping up to the plate with recognition that the current authentication mechanism that users use on the Internet today with passwords is broken,” said Patrick Harding, chief technology officer for Ping Identity.

But Jon Oberheide, chief technology officer for Duo Security, said Google needs to put more emphasis on account recovery, which becomes necessary when people forget passwords or loose the mobile phone tied to the two-factor authentication system. In the draft, Google acknowledged this problem was the “Achilles heel” of its automated systems.

“Automated recovery mechanisms for two-factor systems tend to be less secure than the native two-factor credential, which means they will be the lowest part of the fence for attackers to jump over,” Oberheide said.

Implementing the technologies Google suggests would be very difficult, said Mark Risher, chief executive of Impermium. For example, some of the technology is interrelated, so they have to be deployed together for maximum security, making the process complicated.

In addition, to really improve security, the majority of website operators will have to be willing to adopt a lot of the same technology outlined by Google. “The website owners, the businesses, need to care enough to make those kinds of investments,” Risher said. “We work with sites of all types who are blindly ignorant of the risks that they’re under.”