Google wants to eliminate passwords, but will that work in IT?

What's good for consumers will be good for employees?

Google phone login

Google recently announced a new authentication idea that could eliminate passwords.

The concept, explained in a presentation here, uses your smartphone. You receive a notification on your phone alerting you to a new login. You authenticate by selecting yes or no, then confirm an ID number that appears at the login screen. There are no codes to enter, no passwords to remember, and no cumbersome biometric security steps.

While the idea was presented as a consumer login process (the slides show a login to Google Chrome and Gmail, not any enterprise services like Google for Work), there's a potential for using a similar approach for business logins, something that could save countless support desk calls when employees ask for a password reset. And, if effective in terms of corporate security, the system could protect assets and ward off hackers, who would not have access to the smartphone.

Several experts told techradar that the authentication concept makes sense, and in some cases is already available. However, there are some concerns about how it would be implemented in a mixed environment, and whether users might actually balk at the process.

Enterprise-grade?

Large companies have used various authentication methods for years, from face recognition to fingerprints and voice identification. What's appealing about the Google concept is that it makes it seamless for the user. Many enterprise security techniques can be confounding to the end-users, who just want to login and start working. Once presented with biometrics, they don't always understand the right steps to gain access or how to use them.

Mike Byrnes, a spokesperson for the security company Entrust Datacard, says the security Google is suggesting is already in use at some companies. There are several advantages, he says. One is ease of use. Employees do not have to remember (or write down) complex passwords or store a token they use for login purposes.

It's also much more secure than a password, because it uses a two-factor authentication method. Users have to initiate the login, then use a second device to confirm the access. The only downside is that an employee might not always have their phone, so many companies that offer this type of authentication offer a backup login process.

"While solutions can vary in implementation, professional-grade solutions leverage mobile phone biometrics and contextual analysis in the background to streamline the user experience and provide advanced security," says Byrnes. "There are no real cons to the solution other than your phone needs to be close by and connected to a data network."

Ben Johnson, Chief Security Strategist at Carbon Black, told us that Google's concept of using a smartphone for access makes sense for another reason. In the enterprise, employees are already used to the idea of having to use a secondary authentication method, such as a token or a VPN that requires you to type in a code that's sent by text or email.