Did Google Miss the Mark With Push To Make Passwords Obsolete?

Chris Taylor

On Saturday, Forbes discussed Google’s 2014 vision to make user-generated passwords obsolete. It’s an initiative that deserves praise and is long overdue. Someone is finally taking strong authentication and identity-based security seriously — particularly in the consumer space. It does, however, come with some caveats.

shutterstock_78049627Google is demonstrating that identity-based security solutions are available for the masses (i.e., consumers), not just their own internal employee base, where this technology was tested. Per the Forbes article, “the Internet giant plans to release an ultra-secure and easy to use identity verification platform that eliminates the need for long, user-generated passwords. Dubbed U2F (Universal 2nd Factor), the consumer-facing side of this initiative will be a USB dongle called the YubiKey Neo.

“Built to Google’s specifications by security specialist Yubico, the YubiKey Neo is a small, durable and driverless device that requires no battery. Plugged into your computer’s USB port it will add a second, highly secure layer of verification when you point Google’s Chrome browser to your Gmail or Google Docs account.”

While the YubiKey has been leveraged by password-management vendors like LastPass for a couple of years, Google pushing the technology could help it finally gain critical mass. But there are some head-scratching decisions attached to this project. I applaud them, but feel they fell short of providing a strong end-user experience. There is always a balance of authentication strength, cost and user experience for the spectrum of use cases. Given this is targeted at consumers, the solution misses in a number of key areas.

First, this is a USB device. Many users may feel leery of sticking a USB device into their PC. What else is on this dongle? Also, what happens if I’m using a device that doesn’t support a USB port like my iPad or any other tablet? Or, perhaps, I don’t have any free USB ports at all.

This is a strong authentication solution that verifies digital identities via multiple factors: something “I know” and something “I have.” I have an issue with the “I have” — a USB token. Great, something else I need to put on my keychain with all of the other gadgets, keys and fobs that are forced upon consumers. How many users are going to misplace, drop, or leave the USB somewhere?

As for the “I know” part, a four-digit PIN shouldn’t be an issue. To play devil’s advocate, I wonder how many users will use the same PIN that’s already in place to “lock” their mobile device?

And this is where I believe Google really missed the mark. Why not a mobile form factor? Mobile devices are prolific. Despite inaccurate belief and sensational media headlines, mobile devices are secure and can be leveraged to secure any number of digital identities and transactions. It’s just the solution Google is looking for but didn’t employ.

Putting digital identifies on mobile devices for strong authentication, as well as securing transactions, is available today.

Chris Taylor
Chris Taylor
Senior Product Manager

Chris manages Entrust’s flagship identity-based software authentication platform, Entrust IdentityGuard, as well as its supporting applications and integrations with third-party access management systems. He specializes in identity-based security, cybersecurity, mobile security, smartcard technology and employing digital certificates. Chris is responsible for driving the Entrust IdentityGuard product strategy and roadmap, along with its execution from a product launch perspective.


  1. Robert Quattlebaum November 12, 2014 Reply

    The whole lure of U2F is that you can have one token to rule them all: it is completely decentralized, scalable, and flexible. The end goal is to do away with all other security tokens so that you just have a U2F token on your keychain.

    You say Google “missed the mark”, but I don’t think this is true at all. There is absolutely nothing preventing mobile devices from being U2F devices themselves, allowing you to authenticate to services on your device without needing to worry about a separate token.

    NFC U2F is also coming soon and will use the same protocol from a service perspective. By services implementing this protocol, they will be able to support all sorts of security tokens: USB/HID, NFC, or integrated mobile.

    They didn’t miss the mark. This is the first step.

  2. chris November 13, 2014 Reply

    Yes if you’re drinking the FIDO kool-aid..:-). …we are taking a ‘wait and see” approach at the moment regarding FIDO…

Add to the Conversation