The Authentication Problem
The past, present and future of our greatest online security challenge
I’ve been working in security research for twenty years, and as much as things have changed in that time, some challenges have persisted. When I think of today’s vulnerabilities, authentication — making sure only the right people get access to the right information — tops that list.
This subject might seem pretty basic compared to more headline-grabbing security issues. But in recent years authentication problems have become much more pervasive, complicated and important. We’ve seen an explosion of people accessing the Internet from all sorts of new devices, both as individuals and behind corporate firewalls, and those access points remain primary targets for bad actors wielding advanced phishing techniques. With hundreds of thousands of attacks now occurring per day, we can’t solve this problem on a case-by-case basis; security today is about automation and scale, and a big first step is helping people keep themselves safer.
At Google we’ve long been proponents of two-step verification, or 2SV, which adds an extra layer of protection even if someone has your password (and we’re glad this morning to learn that the President agrees).
The next, stronger step is the Security Key, a device that uses encryption to make sure only the authorized user who literally has the key in hand can access his or her account. The technology underlying Security Key raises the bar much higher than it’s ever been for phishing. That’s why we require everyone who works at Google to use Security Keys, and developed the underlying technology together with the other members of the FIDO Alliance, an industry consortium focused on creating strong, open authentication standards.
A more secure future
2SV and Security Keys are clear improvements to the password model. But we can do better, and most people don’t want to have to enter codes or carry around physical tokens in order to be safe online. So some of the brightest minds in the industry are reimagining things entirely by working toward a world without passwords. Multi-device authentication, for example, could allow your phone to verify your identity by signaling your laptop directly. Devices could recognize you using things like your voice or the way you walk. And these are only a few of the innovations we might see going forward.
So some of the brightest minds in the industry are reimagining things entirely by working toward a world without passwords.
Twenty years ago I never could have imagined the world we live in today, and I’m sure the next decade will be just as unpredictable. But I’m also sure that ten years from now, whether we’re changing legacy systems like passwords or taking on new challenges like networked devices and the Internet of Things, working together to share security knowledge and solutions will be our best shot at handling whatever challenges the future throws at us.
The Future of Security Roundtable is a Google-sponsored initiative that brings together thought leaders to discuss how we can best protect ourselves from the data breaches and security risks of tomorrow. Panelists are not affiliated with Google, and their opinions are their own. Read the post that kicked off the roundtable here and feel free to join in the conversation.