Skip to main content

Google wants to eliminate passwords, but will that work in IT?

Is a smartphone the answer?

While there may be other implementations of a "password free" login, few are as simple and straightforward as the Google approach. Users don't have to know what's going on. They receive a notification that looks like a text message. They respond, verify the code, and gain access. In many ways, it's all about relieving the IT helpdesk and meeting corporate standards for two-factor authentication while not creating a burden for employees.

Google Nexus 6

That said, the one drawback is that employees will rely even more on their phones. Johnson says that could be a problem since hackers might start targeting the phones, even if it means stealing them or accessing them remotely, as they become more prevalent as a device used for authentication. A company would have to require that all employees have their smartphone available with them at all times, which is not always the case.

"The question arises of how much auditing could the IT and security teams do around logins and access, so that will have to be incorporated into existing monitoring and security operation processes and systems," says Johnson. "It continues the overall industry trend toward making your mobile device the most crucial and therefore valuable target for attackers."

David Rivera, a senior software architect at Lenovo, says fingerprint logins have been available on Lenovo laptops for some time. He suggests that, instead of moving to only one authentication method as Google has described, it's better to combine multiple methods.

"Combining smartphone 'what you have' authentication with other forms of authentication that use 'who you are' (a biometric, like fingerprint) and 'what you know' (like a secure PIN) would provide the best level of security," he says. "It's up to the security and IT administrators in companies to determine which solutions fit best for them and their users."

Windows Hello

Other options

As you can guess, there are many options for enterprise security. Few are as streamlined or as easy for the end-user, but a few might match up better with corporate strategies.

For example, Rivera mentions that Intel recently announced that its Authenticate technology now works with the fingerprint readers on Lenovo ThinkPad laptops. Intel includes the technology as part of the Intel Core vPro processor line and can detect whether a smartphone is within the proximity of the laptop and require additional steps, such as entering a password.

Microsoft recently introduced an authentication system with Windows 10 called Windows Hello (pictured above). To login, the camera on a Microsoft Surface Pro tablet can scan your face or iris before allowing access. IT admins can require that the user enter a password.

The problem, of course, is that many large companies have not deployed Windows 10 yet. And, not every laptop offers the same biometric technology, so it's hard to standardise on one. That's what makes the Google approach – or something like it – a viable option because it could potentially work with any system, from desktops to laptops to tablets.