Google makes a big security change, but other companies must follow

In a wonderful cybersecurity move that should be replicated by all vendors, Google is slowly moving to make multi-factor authentication (MFA) default. To confuse matters, Google isn’t calling MFA “MFA;’ instead it calls it “two-step verification (2SV).”

The more interesting part is that Google is also pushing the use of FIDO-compliant software that is embedded within the phone. It even has an iOS version, so it can be in all Android as well as Apple phones.

To be clear, this internal key is not designed to authenticate the user, according to Jonathan Skelker, product manager with Google Account Security. Android and iOS phones are using biometrics for that (mostly facial recognition with a few fingerprint authentications) — and biometrics, in theory, provides sufficient authentication. The FIDO-compliant software is designed to authenticate the device for non-phone access, such as for Gmail or Google Drive.

In short, biometrics authenticates the user and then the internal key authenticates the phone.

The next question that arises is whether other companies beyond Google will be able to leverage this app. I’m guessing that, given Google went out of its way to include arch-rival Apple, the answer is likely yes.

This all started May 6, when Google announced the default change in a blog post, heralding this as a key step in killing the ineffective password. 

On the one hand, having an almost-always-nearby phone serve as a hardware key replacement is smart security. It adds a touch of convenience to the process, which users should appreciate. And making its use a default setting is also clever, as the laziness of users is well known.

Instead of making users dig through the settings to activate Google’s flavor of MFA, it’s there by default. Let the few who don’t like it — from a security, pricing, and convenience perspective, there’s really not that much to dislike —spend their time pouring through settings.

But in an enterprise environment, there is still a big reason to stick with the external keys: consistency. First, these external keys have already been purchased in volume, so why not use them? Also, users have many different kinds of phones and standardization for employees and contractors just makes external keys easier.

In the interview, Skelker said there is no security advantage to Google’s internal keys when compared with external keys, given that both comply with FIDO. Then again, that’s as of today. There is a very strong probability that Google will soon — likely within a couple of years — sharply boost the security of its internal software keys. When and if that happens, the CIO/CISO decision will look very different.

Suddenly, you have a free key that is better than existing hardware keys. And it will be already be in the possession of almost all employees and contractors.

As much as I applaud Google’s effort to kill the password, there is an industry-wide issue across all verticals. As long as the overwhelming majority of vendors and enterprises require passwords, having a few places that don’t won’t help much. In a perfect world, users would refuse to access environments that still require passwords. Revenue has a way of getting executives’ attention.

But, sadly, most users don’t care enough to do that, nor do many understand the security risks posed by passwords and PINs, especially when used on their own.