Google is using open-source encryption to make the internet a safer place. By giving developers first crack at cutting their own pass keys, the Silicon Valley giant hopes that increased adoption of its new security system will lure the Fortune 500 to its cloud services.
The search-and-advertising company’s OpenSKOpens a new window project offers a more robust layer of protection than passwords, which are soft targets for attackers seeking ways into personal accounts. Once there, they can invade systems and compromise companies.
OpenSK uses a two-factor authentication standard pioneered by the Fast Identification On-Line Alliance, or FIDO, which calls on hardware containing unique access codes rather than passwords. The industry group is committed to a password-free internetOpens a new window .
Making software libraries publicly available to run reference hardware provides developers with tools to create their own FIDO authenticators. Google engineers call OpenSK an experimental research platform but the company hopes that enterprises will examine the technology and then adopt it.
FIDO-friendly firmware
To spur development, Google has added a dongle produced by Nordic SemiconductorOpens a new window to the Titan family of security keys it introduced two years ago. The Norwegian maker’s widget contains a system-on-chip that interfaces through a USB port or using Bluetooth wireless and near-field communication.
The Nordic dongle and tokens in the Titan lineup contain firmware compatible with FIDO U2F and FIDO2 standards for both desktop and mobile. They use authentication protocols from the seven-year-old alliance that take passwords out of the equation.
The result is a design that Google says can beat the bots, phishing scams and targeted attacks that employ public-key cryptography to verify user identities and log-in pages – even if account holders inadvertently display passwords.
Indeed, Google claims it hasn’t suffered a breach since shifting its more than 80,000 employees to Titan in 2017. The Nordic dongle possess the same capabilities and lets users fashion their own carrying case with a 3D printer.
Operational flexibility
To achieve OpenSK aims, Google is using the Rust programming language developed by rival browser publisher Mozilla to code the key’s operating system.
Called TockOSOpens a new window , its features include an architecture that fences the security applet from its drivers and from the kernel in the Nordic SoC’s 32-bit Arm core.
Google’s engineers say the programming language works to limit logic attacks thanks to the easy abstraction and safety enhancements for its flash-friendly memory. TockOS is available on the GitHub code repository, where developers can access blueprints and upload innovations.
Tighter measures
Two-factor authentication is at least as old as the automatic teller machine, which requires a card and pre-set password to access an account. With the advent of online banking, the methodology has produced innovations such as one-time codes sent via SMS services to execute instructions.
But the security vulnerabilitiesOpens a new window of wireless transmitters make them less than ideal – hence, Google’s action to shore up defenses. Other moves by the company include barring users from accessing G Suite productivity tools via apps that share usernames and passwords.
Google also is blocking downloadsOpens a new window by its Chrome browser of mixed-content files containing text and images over unencrypted web protocols.
Cloud challenges
Making security a hallmarkOpens a new window is increasingly important for Google as it leverages its dominance in search to other sectors. More than two billion people use its Gmail platform to send e-mails over the web and more than one billion computing devices run its Chrome browser.
Yet, it’s in the cloud where Google lags, trailing Amazon Web Services and Microsoft Azure by a wide margin in global league tables. Both competitors support the FIDO Alliance push for a web that’s password-free.
Meanwhile, the Alphabet subsidiary is building partnerships that drive enterprises to its Google Cloud Platform as they revamp their IT landscapes. Taking up the open-source security baton is one more way Google can stick it to the market leaders.