14 DAY TRIAL // Google has been working on beefing up user security, particularly when it comes to authentication and logins. It was the first mainstream site to introduce two-factor authentication and it's been pushing for even stronger authentication methods.
There has been talk about Google working on authentication beyond the password. But it's not just talk; Google is seriously working on it. In fact, it's been working on it for five years, but it has now published a new five-year plan on "strong authentication."
One thing that Google has planned for the short to mid-term future is enabling two-factor authentication for everyone.
Currently, the feature is optional, but Google plans to require all users to provide more than just a password the first time they log in with a new browser or device.
"The users who have not enabled our strict 2-factor login will be will be asked to pass a 2-factor challenge on nearly all sign-ins," Google explained in the new document.
"If they don’t have their phone with them they can still go through account recovery (which requires changing their password), and we will experiment with allowing them to pass some other risk-based challenges without needing to change their password," it added.
Beyond that, Google plans to make good use of smartphones or even dedicated devices to provide better authentication options.
Google notes the success of the Google Authenticator app, but believes next-generation apps should go beyond just providing a code which still leaves users exposed to phishing attacks.
Alternatively, users may be asked to authorize a login via a mobile app, making it a lot harder for attackers to intercept the communications.
Beyond that, Google would want devices to be able to authorize other devices directly, for example using your Android phone to authorize your tablet. This approach has several challenges, particularly on operating systems that Google doesn't control.
This is why Google is working with other groups on a universal authentication system and devices such as a USB keychain or even biometric devices which could be used for authorization.