A bright living room of a house on the West Coast of the United States appears on the laptop screen, and in that living room, fully lit and talking directly to the camera, is Google’s head of online security and identity. Then you think: This would be a story about that we should use a password manager and choose much better passwords than ‘12345’ or ‘secret’ passwords, like quite a few Dutch to do. But that’s not what Mark Reacher makes clear, because that’s his name. To the delight of many Americans, he came to say that as far as it is concerned it is safe to have no password at all.
“Passwords are a leftover from the days when one computer was in a university or library,” says Richer. On this computer, you can prove that it is you by typing in a password. We hardly get any further than that.
And this means: we are starting to use more devices for which you had to come up with passwords, and ordering new face creams is no longer possible without creating an account. Since you can’t remember all of those passwords and not everyone has a secure way to store them, we now have an average of 75 passwords in roughly three categories, according to Richer.
“Usually the person in front of your bank is very safe, just to remember. Then there is a combination of a name and number for your Facebook account, which is a little more secure, and then there is a whole bunch of services where it seems fine to write your pet’s name in reverse” . Data breaches and recent police reports show that a hacker only needs to break into your Marktplaats account once, presumably selling a phone in your name and escaping with the unsuspecting buyer’s money.
The password is yours, and scammers or hackers need to know it from you — and that’s the problem, Risher says. Even two-factor authentication, which requires you to enter a code from a text message on your phone to access your Twitter account, can be bypassed. All scammers have to do is set up a login page where an unsuspecting user will enter or intercept this code.
All of this has to change, according to Google. It is no longer up to the user to check whether you are signed in to google.nl or google.nl, but to google.nl to confirm your identity. This is possible using the security key. Compare it to the passage you have to pass through a card reader to enter the building. But you can only use it because it is linked to your account.
These security keys are in the form of USB sticks that are inserted into a computer to verify your identity, but they can also be used on phones. Google already creates security keys in Android phones and there’s an iOS version to verify your identity – or to be more precise: that the security key is yours on the iPhone.
If you try to sign in with your Google account on your computer, you will receive a push message on your phone confirming this. And that phone must be near the respective computer again. Your mobile phone, which you’ll probably have with you for most of the day anyway, becomes the path you go through a virtual card reader to access your account. With a backup code stored in a secure (physical) location to restore your account in the event you lose your phone.
There are also open standards for this, such as WbAuthn, which Google also participates in. Is this method guaranteed? No, Richer says. But it’s harder for a hacker to hack if they need to grab your phone, unlock it (often with a fingerprint), and get close to the device you’re trying to log into.
Signing in with your Google account goes beyond just being able to access Google Docs or Gmail. As with Apple and Facebook accounts, Google lets you sign in to third-party services: sports apps with health and location data, online games, and, if you want to buy a concert ticket, your smart thermostat might be connected to them . For those who want it, a Google account becomes a security key to your (digital) life. From Sign In becomes Setup, and when you buy a new PC or tablet, you set it up right once, and everything is secured. Mark Reacher promises on behalf of Google from his American living room.
This is where it gets tricky, says Bart Jacobs, professor of computer security at Radboud University. Because you have to trust Google a lot to give them all your passwords and replace them with a security key – from Google. We know from Edward Snowden’s revelations about wiretapping practices of US government services that big tech companies can be monitored. Who is to say something like this will never happen again?
Jacobs also points out the risks of taking too much responsibility with one party, whether that’s Google or a competitor. Because what if the servers on which all logins are stored are down? At the end of last year, almost all Google services, from YouTube to Google Maps to Google Meet and Gmail, were unusable for users signed in for half an hour due to a malfunction. Reliance on one provider becomes huge if you purchase several services from that provider.
Then there is the way Google makes money, mainly by selling ads based on user behavior. Who can guarantee, Jacobs says, that Google won’t do anything with knowing where you’re signed in? So Jacobs sees more in an open online identity: a unique personal digital key for all doors on the web, open source, whose source code is visible and copyable to everyone, and operated by a non-profit organization.
The European Union recently presented its plan for such an e-identity, an online identity for residents of member states outside of major US technology platforms. Jacobs: “Companies like Google can pretend they want the best for the world, and they have a business agenda. Often that’s not the same agenda I have as a user.
“Coffee fanatic. Friendly zombie aficionado. Devoted pop culture practitioner. Evil travel advocate. Typical organizer.”