- 18 Hot IT Certifications for 2014
- CIOs Opting for IT Contractors Over Hiring Full-Time Staff
- 12 Best Free iOS 7 Holiday Shopping Apps
- For CMOs Big Data Can Lead to Big Profits
CSO - Google has released a draft of its next five-year plan for login authentication that tries to stay at least on par with criminal hackers, but recognizes that strong security requires industry collaboration.
[ALSO: 10 coolest Google R&D projects]
The draft, which was released Wednesday for security pros, explores where Google might head following its first five-year plan issued in 2008. The company declined to comment further on Thursday.
Over the last five years, the security landscape has changed dramatically with the broad adoption of smartphones, the rise in hijackings of website accounts and the evolution in hacking techniques and tools that require innovation in defenses.
This year, Google rolled out a two-step login process to attach a specific device to an accountholder. The company is now considering becoming much more aggressive with the mechanism, which is currently optional.
Users who skip two-factor authentication attached to a mobile phone may have to pass a challenge along with inputting the password on nearly all sign-ins.
Google also favors shifting as much of the authentication chores as possible on the device and its operating system. Once people sign at the OS level on an Android phone, Google would like to have those credentials work across all the apps on the device and websites accessed from the browser.
Currently, two-factor authentication usually involves a site sending to a person's mobile phone a text message with a number that they input to access services on that device. Google would like to switch to having an approved smartphone authorize another device through near-field communications over a cryptographic protocol that cannot be phished.
Google is a supporter of OpenID, an open standard that makes it possible for a cloud-based identity provider to store credentials, making them available to any website or any app on a mobile phone. However, that technology remains too complicated.
"While many sites want to add support for identity providers, there are still very hard usability problems and account linking issues," Google said in the draft. "We still believe that is the approach that the vast majority of websites should take, so Google will continue to support efforts to simplify those issues and define best practices."
Google also wants to implement the ChannelID open standard that locks cookies to the device that receives them. Websites will send a cookie after a visitor logs in to maintain that session. However, there are various techniques a hacker can use to steal that cookie in order to impersonate the accountholder. ChannelID solves the problem by not allowing any other device to use the same session cookie.
Security experts agree that Google's plans to improve security in its environment are solid and follow best practices. "They're stepping up to the plate with recognition that the current authentication mechanism that users use on the Internet today with passwords is broken," said Patrick Harding, chief technology officer for Ping Identity.