Google to make 2-step verification mandatory, phones to replace passwords

May 11, 2013
(Image credit: Shutterstock)

(Image credit: Biometrics / Shutterstock)

The rise of mobile devices and persistent connectivity, as well as apps and cloud services, has put us all at potential risk when it comes to online security. Simply put, it’s no longer as basic as using strong passwords and strong encryption on websites and services. According to a recent effort by Google in making its systems more secure, the company is looking into implementing smartphone tagging, life-long tokens, and requiring two-step verification on its services.

This is part of Google’s revolving five-year roadmap for security. The last time Google made an effort to map out its big-picture security plan was in 2008, and it’s now high time to do a revamp. During that time, Google planned an implemented two-step verification, which required both a password and a key before granting access to a user’s account — originally sent as a six-digit code via SMS.

This has only been optional, though, and Google wants to “rollout a change to our login system in which we will be much more aggressive.” What happened since 2008? A lot, apparently.

Google cites a few things that have pushed the company to become more aggressive in its security stance. First, in 2008, smartphones were not yet as popular as they are today. Eric Sachs, group product manager for identity at Google, says that they did not see it coming. “Five years ago, this level of smartphone adoption was not predicted.” And so with the popularity of smartphones today, Google will weave in security and authentication with mobile devices, as well as back-end improvements.

High friction, but only at the start

According to Sachs, Google does not have qualms with increasing the so-called friction in logging in, if only to improve security. “We don’t mind making it painful for users to sign into their device if they only have to do it once.” The key here is that you only have to be inconvenienced once — such as by keying in both your password and a key, like one sent to your mobile phone via SMS or generated by an authenticator app. The next points of access or login should be token-based. Other apps and services should never have to ask for your credentials again, for as long as you have access to your mobile device.

Instead, Google’s proposed login methods would involve your mobile device of choice — your Android smartphone for instance. In place of keying in your password to access a third-party service, for example, you can simply approve your web login by approving it from an alert on your smartphone.

As alternatives, Google proposes using technologies like NFC to “bootstrap” logins. For example, you can login to a service by tapping your smartphone onto an NFC terminal on your notebook computer or other device. Of course, this assumes both devices support the technology, and Google actually envisions such a login method for Chromebooks. But because the company does not have control over other manufacturers’ hardware, Google is still going to look for acceptable standards that can work across different devices and platforms. The same goes for third-party applications, as not all developers and services use OpenID and OAuth.

Google knows you

Going beyond unlocking and authentication, though, Google’s plan for security is much more sophisticated. An added factor would be determining behavioral patterns and raising flags when usage deviates from these patterns. “We are beginning to experiment with apps on the phone that display notifications about risky behavior on an account.” For instance, you might usually access web apps and services from a certain location or during a certain time of the day. If you suddenly access it from another place (another country?) and at a strange time, then Google might ask you to approve the action on your mobile device before proceeding.

Google's planned authentication schemes will enable you to approve or reject sign-ins from your mobile device, without the need to manually key in passwords.

Google’s planned authentication schemes will enable you to approve or reject sign-ins from your mobile device, without the need to manually key in passwords.

Apart from these systems, Google also espouses smarter hardware that will improve security and the platform for accessing apps and services. The company notes that systems like biometrics will be a good addition, although there are still issues with fingerprint or facial recognition, among others.

What Google says is difficult at this point is account recovery. “Account Recovery is our achilles heel,” says the white paper. Google says it should be easy enough for the real user to access, but still difficult for malicious hackers to crack. “Bad guys will try to hijack accounts through account recovery systems, but this poses hard challenges since the recovery systems have to help the real owner who has truly lost access to those other factors,” Sachs writes.

Another big concern is that security risks have grown because malicious hackers have found better ways to monetize hijacked accounts. As such, they are willing to go through lengths to get into these accounts.

Google is confident about the results of its earlier 2008 five-year security plan, and is hopeful that its 2013 plan will also result in better security for both end-users and developers. You can check out the draft report, PUBLIC DRAFT: Stronger Consumer Authentication – 5 year report, from the source links below. Google has also prepared a slide deck for a simpler presentation.

Comments

  • terminator

    What about someone like me that has different phone numbers for each Country I visit often, , and change phones often? The only thing that stays the same is my email address and the associated password?

    • MasterMuffin

      I hated this thing with Facebook, everytime I logged in with different device or from different location or even from different browser, it went all crazy. I hope Google makes it better if they choose this road

    • K.

      What happens when you are travelling and your cell phones does not have coverage. This happen to me while a was on vacation a couple of years ago and it was quite a pain to log in to my gmail account with the 2-step verification. Since then I have gone back to the old way. It’s good to try to improve security but before doing so they need to think about all the consequences for the end user.

      • julian

        Yeah, so this is exactly what the one-time-use codes they give you to print when you enable it, are for.

      • Ramiro Fernandez

        You don’t need any kind of coverage to use Google’s 2 step verification as it is currently, it will work in airplane mode. The codes are time based and generated on your phone. Obviously the “authorisation” process documented above will require data on your phone, but I imagine they can fall back to the code based authentication where the user doesn’t have a data conenction handy

    • julian

      Install and configure the authenticator app on your different devices. Simples.

      • terminator

        If u understand my post, you’ll realise the hell it’ll put u through. It’s not a matter of changing devices. Of you’re in a different country with a different phone number (roaming is ridiculous), a different computer/phone/tablet, different EVERYTHING, it’s not that simple, even with the authenticator.

    • Philin

      What happens if you simply don’t have a pre-paid texting plan, or (God forbid!) even a cellphone? We nerds can rage all we like, but there are a lot of people like this out there.

  • http://www.dainbinder.com/ Dain Binder

    This is an excellent plan! There are certainly some issues that need to be worked out, but it is the best direction to keep us secure.

  • Oli72

    excellent plan google.

  • http://bit.ly/ardchoille42 Ian MacGregor

    I own a Chromebook and an Android phone. I’m deaf and on a fixed income so I can’t just hop on a telephone to receive a voice call, it takes me a while to save up for a new device. Suppose my Chromebook is lost and my Android device is stolen. How do I log into my google account at my local library once 2-step authentication is made mandatory?

    * I can’t buy a new phone right away, funds are too limited
    * I’m deaf and cannot receive a token by phone
    * I guard my account so closely that I wouldn’t trust anyone to receive a token for me
    * I’m horrible about keeping track of paperwork – which is why I bought a mobile phone in the first place
    * I have never owned a printer and cannot afford to buy one

    I have an idea, Google should make two-step authentication opt-in rather than mandatory. Oh, wait..

    • jangeloracoma

      Hi Ian, you can perhaps keep track of the codes by writing them down on paper and storing the note somewhere safe. Google usually gives these codes 10 at a time. I’ve used them 4 times in those rare cases I was unable to authenticate via mobile. You can always re-generate or refresh these when needed. I’m horrible at keeping track of paperwork, too, but there are some pieces of paper that you will most likely need to keep safe somewhere, like your passport, passbooks, etc.

      • http://bit.ly/ardchoille42 Ian MacGregor

        I’d rather not have to go to my bank safe deposit box every other day just to gather some codes. Annoyed users = shrinking userbase.

  • http://www.facebook.com/matthew.wypyszinski Matthew Wypyszinski

    lets just start instituting retinal scans and dna samples and be done with it, go go three step authentication

    “hello dave…..”

    • Terris Leonis

      Something you know, something you have, and something you are. Some laptops already come with fingerprint scanners. Combine password, security token and fingerprint for a first time login and you’re done.

      • http://www.facebook.com/matthew.wypyszinski Matthew Wypyszinski

        lol i liked the artical i read about the possibility of using brain scans as an authentication method. Someone has invented a cheap scanner sensitive enough to do it, so basically when logging in you would be asked to complete a simple task like click the blue circle or something like that

  • Mark Brough

    I’ve given Google a friend’s mobile number. Because I fear that if my smartphone were stolen, Google might SMS something inappropriate to the thieves which might enable them to access accounts. Two-step authentication sounds seriously flawed for smartphone security.

    • jangeloracoma

      I believe the point behind 2-step authentication is for you to login with (1) something you know, which is your password, and (2) something you have, which is your mobile device. So if someone steals your phone, it’s not likely that they can also retrieve item #1, unless you have your password noted somewhere on your phone. And I don’t believe Google sends password retrieval info via text.

      Oh, and this is one good reason for ensuring your device has a lock-screen password or pattern in the first place.

      You can add several numbers to the 2-step verification option, though. This would be great if you don’t have your phone, but you’re with your significant other, friend, or co-worker, for instance.

  • IncCo

    I seriously doubt this will ever happen. I dont think google would like to deal with all the uproar something like this would undoubtedly cause.

  • disruptivetech100

    Vir2us Technologies is already providing this technology.
    http://www.indiegogo.com/projects/xeropass-forget-your-passwords-for-good

  • Phed Up

    To my recollection, this minor issue became a serious problem after companies like Google began linking all of their services under a common login, greatly increasing the risks of a compromised user account. I would have liked to keep my Picasa web account separate from my GMail, and both separate from the credit card number stored in my Play account. Of course that makes data mining harder, which means less profit for Google. But that just begs the question: whose interests is Google really looking out for? It’s not even mainly about privacy anymore. If they were serious about security, they would stop already with the Google+ campaign, which only serves to further sweeten the pot for the potential identity thief.

  • Naive technologist

    This is just another example of Google’s massive information-gathering strategy. The mechanism above would work fine, if a) you wanted to hand Google your cell phone number, b) you leave yourself logged into Google the majority of the time (allowing them to track the bulk of your browsing habits), and c) you trusted Google not to share your information with third parties or use it for their own purposed without telling you.

    I believe Google has WAY too much information about people as things already stand. I don’t trust ANY company with that much personal information. I’m honestly astonished that the populace at large isn’t more alarmed by this trend. I weep for the future.

    • zzz

      Weep away. As long as Google keeps providing top notch services, they can take my “browsing habits” and run wild.

  • Le Pixel Solitaire

    When Facebook has become another Big Brother, I closed my account. It seems that I’ll have to do the same with Google soon.