If you like it, Google might put a ring on it

In Information Security ByRyan Farmer / 30th January 2013

24973P

A recent Google Labs research paper explored ideas of alternative sign-in methods and securer authentication techniques. As anyone who has used Gmail over the last few months will know, Google are desperate to introduce secondary forms of verifying your identity; namely submitting your mobile number so that the Mountain View-based internet giant can generate a one-time password. A current pilot study being run out of the Googleplex explores the idea of the mobile device as (rather than generating) the password, this is the passdevice.

Google are desperate to get user security right. They have a large existing user base across their search, messaging, mapping, and video services, and are firmly established as a market leader in consumer email. It isn’t just email though; your Google credentials are the same across the entirety of their platform and product range. What we are dealing with here then is a cross-platform online identity. With the increasing monetisation of services such as Wallet and the Play Store, there is also a direct loss impact to be felt should account security be compromised. There is a direct financial incentive, in terms of profit rather than just loss prevention, as Google tries to assure us that is the homogenous web ecosystem… although let’s face it, no one is believing those Google+ user figures!

Search, Gmail, YouTube, Android OS, Play Store, Zagat, Maps, Motorola, Blogger, Drive, AdWords, AdMob, Analytics. Google offer a lot of free services, and constantly push the envelope in research (Goggles), only to scrap offerings that aren’t ‘working’ (read: not easily monetised) – Google Wave anyone? So there’s no questioning the value that they bring to the digital age, and the standing they have as one of the world’s most powerful (if not necessarily trusted – “don’t be evil”) brands. Is it that unreasonable then that they might ask something in return, something beyond $10-11bn/year profit and full knowledge of your online habits?

You see, Google are thinking along the same lines as Beyoncé here, if you like their services so much then you might as well let them put a ring on it. An authentication ring. Which all sounds very nice, until you start thinking that Web 2.0 giants like Facebook and Twitter, and arch-rivals Apple might like the idea – free advertising and the kind of brand commitment that wearing a real world ‘device’ entangles. The whole initiative would take some time to role out too, not just in terms of manufacturing and getting rings on fingers, but also in terms of devices and platforms that can read the token. Mobile phones are refreshed every 18-24 months, meaning that side of the industry wouldn’t take too long to catch up, but what about PCs – would a reader be connected via USB, retro-fitted, or built in during manufacture? And then there’s Apple, who haven’t exactly been playing ball with supporting their Californian neighbours’ products and services – considering the market share Apple still have in Western markets like the US and UK (and remarkably in Japan), then Tim Cook (Apple CEO) may be the biggest road block on the ring’s route to market.

As a principle there are pros and cons from a security and usability perspective with ‘ring-thentication’ – to name a few… Will it be resilient? Water-proof? Easily blocked and replaced if lost or stolen? Will remote and/or security updates be possible? There are still questions to be answered, but what the research paper does do is finally try to take on the challenge of user inertia towards security and passwords. It’s so simple a solution, that the user won’t have to do anything beyond making the initial decision to put the thing on.