On Saturday, Forbes discussed Google’s 2014 vision to make user-generated passwords obsolete. It’s an initiative that deserves praise and is long overdue. Someone is finally taking strong authentication and identity-based security seriously — particularly in the consumer space. It does, however, come with some caveats.
Google is demonstrating that identity-based security solutions are available for the masses (i.e., consumers), not just their own internal employee base. Per the Forbes article, “the Internet giant plans to release an ultra-secure and easy to use identity verification platform that eliminates the need for long, user-generated passwords. Dubbed U2F (Universal 2nd Factor), the consumer-facing side of this initiative will be a USB dongle called the YubiKey Neo.
“Built to Google’s specifications by security specialist Yubico, the YubiKey Neo is a small, durable and driverless device that requires no battery. Plugged into your computer’s USB port it will add a second, highly secure layer of verification when you point Google’s Chrome browser to your Gmail or Google Docs account.”
While the YubiKey has been leveraged by password-management vendors like LastPass for a couple of years, Google pushing the technology could it finally gain critical mass. But there are some questionable decisions attached to this project.
I applaud them, but feel they fell short of providing a strong end-user experience. There is always a balance of authentication strength, cost and user experience for the spectrum of use cases. Given this is targeted at consumers, the solution misses in a number of key areas.
First, this is a USB device. Many users may feel leery of sticking a USB device into their PC. What else is on this dongle? Also, what happens if I'm using a device that doesn't support a USB port like my iPad or any other tablet? Or, perhaps, I don't have any free USB ports at all.
Second, the USB device uses a one-time-passcode (OTP) application, where the YubiKey Neo described in the article is an OTP application embedded into a NXP smartcard chip in a USB form factor. The OTP value is sent directly to the browser. As long as the USB is present, and the user enters the PIN, the browser can authenticate. Because it is not a certificate-based approach, the user still needs the username.
This is a strong authentication solution that verifies identities via multiple factors: something "I know" and something "I have." I have an issue with the "I have" — a USB token. Great, something else I need to put on my keychain with all of the other gadgets, keys, fobs that are forced upon consumers. How many users are going to misplace, drop, or leave the USB somewhere?
As for the "I know" part, a four-digit PIN shouldn't be an issue. To play devil’s advocate, I wonder how many users will use the same PIN that’s already in place to “lock” their mobile device?
And this is where I believe Goggle really missed the mark. Why not a mobile form factor? Mobile devices are prolific. Despite inaccurate belief and sensational media headlines, mobile devices are secure and can be leveraged to secure any number of digital identities and transactions. It’s just the solution Goggle is looking for but didn’t employ.
Putting digital identifies on mobile devices for strong authentication, as well as securing transactions, is available today.