Google is trying to solve the problem of insufficiently strong data protection based on passwords.
Google has made some interesting announcements in recent weeks regarding passwords and data protection. Some of them are an attempt to solve the problem of password leakage and insufficient protection of their use.
And although the company abandoned to use only passwords a few years ago and transferred all staff to use hardware tokens (additional security devices), the company has not yet offered users of its services to completely abandon password protection. Moreover, recently Google suggested securing some private information with additional passwords.
Password plus the second factor: a must have for everyone
While passwords are the primary means to protect user data and devices, there are many problems with their use. Passwords remain the weak link in the entire data security system and are the source of many vulnerabilities. According to various sources, more than 80% of data leaks and hacks occur due to weak or compromised passwords.
The annually published statistics of the most popular passwords practically do not change from year to year. It regularly includes such trivial passwords as "123456", "password", "111111", "qwerty" and other very recognizable, and therefore easily hacked phrases. For example, the password "123456" is still used by 23 million online account holders.
One of the ways to strengthen the protection of data and accounts is authentication—when, in addition to a password, the service will request something else, another authentication factor, be it a code from an SMS or a special application (for example, Google Authenticator). The second authentication factor can be the connection of an additional device.
In early May, Google announced that it plans to make two-factor authentication the default option for user accounts. This decision is very significant for the entire IT market.
Actually, two-factor authentication has long been available to Google account holders and has traditionally been recommended to be used to increase data protection. But it was not mandatory. Now, when registering a new Google account, two-factor authentication will be offered to all users automatically as the default choice. In theory, one can opt out of it and keep using only a password, but this choice will naturally decrease the level of the user's account protection.
Although two-factor authentication is used by many online platforms and companies, not all of them insist on using it. There are many reasons for this—users usually do not want to complicate any interactions with online services and the requirement of two-factor authentication may just discourage them.
In addition, users may not be particularly competent in configuring such options and, with such requirements, may simply refuse to use the service. So Google's move to set this as the default choice is a very big paradigm change in protecting user data and a way to nudge both consumers and the market in general to use two-factor authentication as a basic industry standard.
It can be assumed that Google has realized that the problem of non-unique weak passwords and account protection cannot be solved in any other way, except by strengthening the very concept of protecting user data.
Preventing leakage and auxiliary passwords
Another important announcement regarding passwords was made by Google at the recent Google I/O conference. It is no secret that passwords often end up in data leaks, that is, they become known either to the attackers organizing such a leak, or to all those wishing—if the database of stolen passwords was published in the public domain.
This situation is especially dangerous because the same password is often used on different sites. This means that a password leak, available to one resource, jeopardizes the hacking of several at once.
The Google Chrome browser has long been able to analyze databases of leaked passwords and warn users if they become victims of such a threat. However, it is no secret that users often do not respond to such warnings and do not change the passwords that have become known.
The Chrome browser has got an important update—now it will offer to change the password that got into the data leak. To do this, Google launched a special feature called Duplex. Due to that feature it will be possible literally in one click to go to the necessary site and change the password.
Another announcement regarding passwords was presented by Google at the end of May. Users can now secure the Web and Activity page with their Google activities with an additional password. This page collects data about the geolocation of places visited by a person, about the history of web searches, requests, and the history of views on YouTube. Google considered this information to be very important and one that requires an increased level of protection and an additional password.
Passwordless, or Is a world without passwords possible?
Google's new password initiatives are very important to the market. Two-factor authentication by default is something that no one has done before. So it can be assumed that Google assessed the risks of non-unique passwords and other ways to combat their leakage and decided to literally take the initiative and protect users forcibly.
It is noteworthy that when voicing its idea in the blog, Google called it a step towards a future where passwords will not be used, heading the message "A simpler and safer future—without passwords."
The long-standing belief that password-based protection is far from perfect has become the basis for finding password alternatives. Google's two-factor authentication is just one of those alternatives. At the moment, the most famous replacement for passwords is biometric identification—Face ID, or fingerprint scanners that are actively used in many modern smartphones. Many modern payment services use the same identification method.
There are successful attempts to replace passwords with voice recognition—such technologies are being developed by Nuance Communication and the Dutch bank ING. Another revolutionary identification technology is called behavioral analytics or behavioral biometric authentication for user identification based on behavior. This user identification system builds a digital profile of a person based on the analysis of a number of parameters, including data on their behavior. These include the angle of the smartphone, the way a person presses a key, the speed and scrolling patterns, and much more.
There are other approaches to "recognizing" a user, for example, analyzing contextual signals—using a known device in a standard place and according to standard patterns. For example, an online banking service will require only a password from you if you are logged into the system through your usual browser. And if your IP address or device differs from the usual ones, the bank will try to send you the second factor—a call or SMS to confirm its client.
Google's idea of improving data protection with two-factor authentication is a major step forward, but using SMS as a second factor in authorization is highly unreliable and even dangerous. The point is that there is a fairly high probability of interception of SMS used for authentication, in addition, there are applications for hacking a SIM card with subsequent interception of SMS.
Therefore, to provide better protection, it is worth using a hardware key (token) as the second factor. A few years ago, Google transferred all of its employees to this method of protecting their accounts, and during this time none of them became a victim of hacking.
Authorization using hardware tokens is supported by Google services and other online services, in particular, Facebook, Twitter, and Instagram. The hardware key is a small device manufactured by, for example, Yubiko. Google also offers its Google Titan keys.
When using them, you first need to specify the use of the key as the second factor of authorization in the account settings. And then, after entering the login and password, you just need to insert the key into the USB connector or place it next to the device (if the key supports a wireless connection, for example, WiFi or NFS).
Bright password(less)? future
The changes announced by Google and the compulsory use of two-factor authentication for users are a major paradigm shift. The company clearly understood that leaving data protection "at the mercy" of users themselves is useless, because they, realizing all the threats, will be interested in ensuring that all interactions with their online accounts occur as easily as possible and with a minimum number of steps.
Conscientiousness, understanding of risks and knowledge of the basics of cybersecurity are not expected to be forthcoming, and only such compulsory measures can somehow strengthen data protection.
At the same time, active development of the Passwordless direction does not exclude a change in the very paradigm of protecting user data, and a complete abandoning of passwords cannot be considered a fantasy. But what exactly will replace the combination of login (email)—password is still difficult to predict