Google's five-year stronger consumer authentication roadmap

Google has revealed its five-year roadmap for stronger authentication and security, which includes a number of proposed adjustments to the way users login to its services, such as hardened access controls and long-life tokens. The roadmap shifts practices away from the traditional sign-in process that most users are currently familiar with, in favor of a more secure initial setup process for individual devices.

The "setup, not sign-in" model will require a more labored initial effort to gain access to an account on a device, but after this process, will eschew the need for repeated input of username/password combinations.

Google is unapologetic towards users who may resist the "higher friction" presented by this model of sign-in once-per-device. "We don't mind making it painful for users to sign into their device if they only have to do it once," said Eric Sachs, group product manager for identity at Google.

Google considers the difficult transition to new systems of authentication necessary in order to provide better security going forward. During a presentation at the IIW (Internet Identity Workshop) Conference in Mountain View, California, Google stated that they "plan to rollout a change to our login system in which we will be much more aggressive."

Google and some other web services have offered two-factor authentication for a couple years now, but soon it will be required for all Google accounts. The inclusion of these requirements is contingent on many modifications to the current two-factor authentication system, and presents multiple options for gaining access to your account. For example, users will be able to use a previously authorized device, such as a smartphone, to grant access to a new device, such as a tablet, using a cryptographic protocol that cannot be phished.

Google is also exploring new technologies for authentication, such as biometrics and Near Field Communication that let users identify themselves in different ways that do not rely on methods that historically have been easily compromised if the end-user lacks vigilance.