How far is Google going in eliminating passwords?
We looked at Microsoft, let’s see how a couple other vendors are doing as well, starting with Google.
In September, we looked at Microsoft’s passwordless roadmap, in which they outline through four clear steps how they plan to eliminate passwords. But, they aren’t the only vendor working to get the industry to go passwordless.
Google has also made it clear they’re looking to help users step away from passwords, too. So, let’s take a look at what they’ve done so far.
Google’s passwordless strategy
While Microsoft made it easy for anyone to track progress by actually publishing a roadmap outlining the process and goals, other vendors haven’t been quite so open. But, we can examine what they have done to gauge where they may go.
Google has been working since at least 2013 to at least make passwords safer, declaring back then that “passwords are done at Google.” As we all know, you aren’t going to replace passwords immediately, it’s a gradual process starting with making passwords more secure. Google has worked on this aspect by incorporating multi-factor authentication tools like one-time passwords, implementing FIDO by allowing security keys as a second factor (they deployed this in their own workplace), and releasing their own first-party Titan Security Key product.
All good steps that make your password safer, but what about the next step, reducing the day-to-day usage of passwords? Google has taken a couple steps, focusing on Android. After releasing their own security key, they added the capability to Android devices running 7.0 to act as a software version of their Titan hardware key. You can also sign in via your Android smartphone instead of using password, which will create a prompt, not a simple SMS message, bypassing the need to use a password to sign in every time (the password still exists, though).
In August 2019, Google announced the ability for Android users to use biometrics to authenticate Google services and applications (again Android 7.0+). For the moment, this is limited just to Google Password Manager. It’s very similar in execution to Apple’s iCloud Keychain.
So, they made passwords more secure and offer some methods for using passwords less frequently, but very little when it comes to actually eliminating passwords in the near future. Additionally, they still have some work to do when it comes to securing passwords. I’d like to see Google do is remove the ability to use SMS as a second factor. We all know SMS isn’t very secure and yet Google still allows this option without so much as a message discouraging it (I can see keeping it as maybe not everyone has/can afford a security key or an Android device).
One way Google does acknowledge the weakness of SMS is in regards to their free Advanced Protection program that requires users to only use hardware security keys (you need two) to more greatly secure your Google accounts.
I reached out to Google to ask them more about their roadmap plans and heard back that their current goal is to make it so that users don’t have to only use passwords and making those passwords more secure with 2FA. Nothing yet, unfortunately, about actually eliminating passwords; but they do continue to improve each of the above services I mentioned. Hopefully we hear more around any passwordless goals they may have in the near future.
Quick passwordless thoughts
I’m genuinely curious how long it will take to eliminate passwords, since most people can likely agree that we’re all ready to ditch them. Right now, most of the products available right now involve eliminating the day-to-day usage of passwords. An important first step, sure, but hardly the actual “elimination” of passwords as articles around Google and other vendors often like to proclaim.
Thanks to the efforts of the FIDO Alliance, the key to everyone’s passwordless plans is standards based with FIDO2 and WebAuthn, which makes it easier for organizations to deploy eventual passwordless products.