Passwords are a real pain – and Google knows it. In a blog post published this week, Director of User Security at Google, Mark Risher, pledged to work towards solutions that remove passwords entirely from the login process. Not only will this make logging in painless, but it should also make your online accounts safer. After all, people often re-use passwords across multiple accounts, so only one of these websites needs to be hacked to unlock dozens of others, or use easy-to-guess passwords, like the perennially popular “123456″ (no, really).
“You may not realise it, but passwords are the single biggest threat to your online security – they’re easy to steal, they’re hard to remember, and managing them is tedious,” writes Mark Risher, “In 2020, searches for “how strong is my password” increased by 300%. Unfortunately, even the strongest passwords can be compromised and used by an attacker – that’s why we invested in security controls that prevent you from using weak or compromised passwords.
“At Google, keeping you safe online is our top priority, so we continuously invest in new tools and features to keep your personal information safe, including your passwords. We are already making password management easier and safer, and we’re providing a sneak peek at how our continued innovation is creating a future where one day you won’t need a password at all.”
While a password-less future for your Gmail, YouTube, and Google Docs account might still be a little way off, Google announced a change that will kick-in much sooner.
Google already offers two-step verification as an optional extra to protect your account. For those who don’t know, two-step verification means a username-password alone isn’t enough to gain access to an account. To login successfully, you’ll also need to input a randomly generated code, which is sent somewhere that only the account owner would have access – like a separate email address, a mobile phone number, or a smartphone app like Google Authenticator.
So, should hackers get their hands on your username and password, they won’t be able to login without access to your mobile phone number, or personal email address.
While two-step verification is currently voluntary for all Google account owners, that is set to change. In the near future, Google plans to make two-step verification mandatory for all accounts. Before that happens, Google says it plans to improve some of its multi-factor authentication methods.
To make getting your hands on that uniquely-generated code a little easier, Google plans to build security keys into Android devices and via the Google Smart Lock app for iOS. So, you won’t need to have a mobile signal …you’ll be able to use your phone itself as verification that it really you trying to login to your account.
And while passwords are living on borrowed time, Google acknowledges they’re likely to be around for a little while longer.
As such, it’s boosting its Password Manager tool, which is built into Google Chrome, Android, and is coming to iOS soon. This makes having a uniquely-generated password for every online account easy you don’t need to remember any of them. All you need to do is login to the Password Manager, using a facial or fingerprint scan, and then Google’s app will fill-in everything for you.
Google recently added a Password Import feature, which lets you upload up to 1,000 passwords at a time from various third-party websites or apps for free.
Risher concludes, “Features like Password Import, Password Manager and Security Checkup – combined with authentication products like Sign-in with Google – reduce the spread of weak credentials. All are examples of how we’re working to make your online experience safer and easier – not just on Google, but across the web. One day, we hope stolen passwords will be a thing of the past, because passwords will be a thing of the past, but until then Google will continue to keep you and your passwords safe.”
Reacting to the announcement, Jake Moore, Cybersecurity Specialist at ESET, told Express.co.uk: “Google are clearly taking the leap of faith desperately needed to help with the problems in account security. Simply offering multi-factor authentication, MFA, has not enticed enough people into protecting their accounts but technology firms have worried a forceful compulsory move might push some users away.
“However, this advancement in educating those with weak security will bolster their accounts, especially for those who continue to reuse passwords, and help educate those who need it the most. If you want to add an even stronger layer of security to your accounts, try using an authenticator application instead of relying on the SMS version of MFA.”