Google Says it Will Move Towards No Passwords

Posted on May 6, 2021 by Paul Thurrott in Cloud, Google with 35 Comments

While Microsoft has long embraced a world of “no passwords,” Google has been a bit slower. That’s going to change. Eventually.

“At Google, keeping you safe online is our top priority, so we continuously invest in new tools and features to keep your personal information safe, including your passwords,” Google’s Mark Risher writes. “We are already making password management easier and safer, and we’re … creating a future where one day you won’t need a password at all.”

Today, Google uses a two-step verification (2SV) process to protect customers from account fraud. But this process is voluntary, and not all users are taking advantage of this key account security feature. In the near future, Google says it will automatically enroll its users in 2SV if their accounts are configured properly according to its Security Checkup.

Google says it is also working to make multi-factor authentication more seamless and secure—when compared to just a password, a low bar—by building security keys into Android devices and via the Google Smart Lock app for iOS. In both cases, customers can use their phones as a secondary form of authentication. And Google makes its Password Manager available directly in Chrome and Android, and now on iOS as well.

What’s lacking from this little missive, of course, is how Google will move to a passwordless infrastructure for accounts, as Microsoft has already done. When you sign in to a Windows 10 PC for the first time, for example, all you need is your email address: Microsoft will send a code to an authenticator app on your phone so that you never need to type in a password. But when you sign in to a Google device running Chrome OS or Android, you need to know your password, even if you use 2SV, which will also trigger a prompt on your phone. That’s dumb, and I’m curious when and how that will change.

Tagged with

Join the discussion!

BECOME A THURROTT MEMBER:

Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Register
Comments (35)

35 responses to “Google Says it Will Move Towards No Passwords”

  1. shark47

    I've been impressed with Microsoft Authenticator so far. It's a shame that no company outside of Microsoft uses it.

    • mattbg

      You can use it as a generic 2FA code generator, and otherwise it can be used with anything that links to your Microsoft account (personal or Azure AD).

    • bleeman

      Actually Microsoft Authenticator works with many different services and not just Microsoft's. I currently use it with Amazon, LastPass, Twitter, Instagram, Discord, Twitch, my Health Services, Best Buy, GoDaddy, Samsung, and many more. What I find funny is the service one of my doctor's uses had the option to setup 2 factor authentication and it refers to it as Google Authenticator but I'm using my Microsoft Authenticator without any problems.


      If you're not aware of it, to use it with many services, you just go through their setup process and when it gets to where they show you the QR code click on the 3 dot's in the upper right corner of the Authenticator app, Add Account, and select the Other account (Google, Facebook, etc.) option.


      There is one 2 step verification process Google has (and I don't recall how/where I use it, sorry) that I don't like at all. Instead of letting me use my authenticator they send me an SMS message with the code. To make matters worse they imposed this option on me and don't allow me to select my own 2 factor option. I'm getting to the point where if a service doesn't support my authenticator then I probably won't sign up for it. I get tired of having to find the e-mail, sms message, etc. instead of just being able to pull up MS Authenticator. I also like the change where I have implemented the requirement for my fingerprint in order to access Authenticator as well.

    • crunchyfrog

      I've actually been moving away from MS Authenticator as I have discovered its shortcomings. The biggest aggravation for me was when I set it up on a new iPhone and could not restore my profile from backup, it just fails every time. It's a known issue with lots of angry users so I moved to Authy.

  2. hrlngrv

    I'm willing to give my phone number to my bank, my insurance companies, my electric utility, my refuse hauler because there are LAWS which require them to keep it private and not share it unless I opt in to allowing them to share it with their business partners. If Google offers any comparable opt-in, I haven't seen it. Thus, there's no chance in Hell I'm giving my phone number to a company which makes most of its revenues from ads. At least not until my phone carrier implements a white list system for incoming calls: one list for calls which would actually cause my handset to ring, another list which would go straight to voicemail, and EVERYONE ELSE gets no connection at all. Then and only them would I be willing to give Google my phone number.

  3. Lordbaal

    What about the people that have a regular old dumb phone? Or have just a landline?

    2FA is just an extra annoying step.

  4. paulkocz

    I work in a school with primary ages children - 5-12 roughly. How do Microsoft and Google make it a password-less world for this age group. These kids don't have phones for 2FA, etc. As an example, I rolled out Surface Go 2's this year and thought it would be great to have kids use facial recognition for login. BUT it doesn't work for this scenario. And yet this is a perfect example of one of the best places to use it. Kids need to have a mobile phone, backup device, alternative email, etc. all great things, but there needs to be a way that this works in this type of environment. I suspect there would be thousands of organisations that would be uncomfortable with staff using third party email addresses or mobiles devices for 2FA as well. Until then, I suspect that Microsoft and Google will talk this up and one day offer a real solution a long way from now.

  5. peterh_oz

    My issue is that it is so easy to get around the security (Microsoft) simply by choosing "use a password instead".

    If I could choose to only allow the Authenticator, or set the password workaround as 2FA, then I'd be happier.

    And now someone will say that you can and I've never realised lol

  6. davidmco65

    You clearly have a very biased view of this. The ONLY place Microsoft is passwordless is on their own computers, using their own services. Don't run on a Windows box, all passwords, all the time using Microsoft services. You failed to mention that aspect.

  7. qaelith2112

    By the way, Paul, speaking of authentication: You had a complaint on this week's Windows Weekly about Apple and Google occasionally making you use your password or PIN on iOS and Android mobile devices and didn't see why that made sense. Without understanding the particular threat model they're addressing, it does seem crazy. There is a particular threat that is driving this, though: The coerced fingerprint login.


    The solution isn't perfect, because if you're made to put your finger on the reader within the timeframe where it doesn't require the PIN/password, the measure doesn't help you. On the other hand, say you've lost your device or had it taken and for whatever reason there is enough delay between then and your being forced to offer up the fingerprint, now that saves your device from being compromised. The "enter password or PIN" thing has a set time frame where it will be asked no matter what, and I believe it might have random intervals that may be less than that as well.


    The idea here is that you can be forced to relinquish your finger ("something you have") for biometric unlock but you cannot be made to divulge a password ("something you know"). Apparently the implementation of these fingerprint authenticators with the occasional PIN requirement is part of the industry guidelines / best practices specifically to add some extra possibility of thwarting at least some of those coerced unlocks. So Google and Microsoft didn't just add this incorrectly thinking it's more secure than a fingerprint, it was a deliberate act based on the guidance for that specific threat situation. How effective this is might be debatable and whether it helps often enough to be worth the inconvenience is also a fair debate topic but please understand that it wasn't just lunacy on Google's and Apple's part.

  8. chump2010

    Does anyone else think that the authentication apps should be on different devices to the one your trying to login on, otherwise it makes it a bit pointless? I thought the point was to prove ownership of two separate parts of the identity.


    Whereas if you have someone's phone, you actually can have both easily accessible - the mailbox and the phone number. Which kind of renders the whole thing a bit worthless.


    • brycecampbell

      I think there is merit to that too. I personally use the YubiKey Authenticator for most things. But the password free login of my Microsoft services with the Microsoft Authenticator app makes me keep that around too.

  9. red.radar

    As long as I don't have to install a Google Application on my smart device I am ok with this. I currently use Microsoft Authenticator and make it spit out 6 digit codes.


    I have grown to regret that I signed up for a Gmail account many years ago during the beta phase. I was young and believed Google's " Do no evil " mantra. I have used that email for so many things over the last 15 years that even though I have tried to migrate things to another service, I still get random emails. I have a footprint I will never be able to fully track down and delete.


    Thus, I can never delete or close my Google account. It would be a security nightmare if I ever did.

    I really don't want to maintain a Google App on my device just so I can watchdog my email account.


  10. randallcorn

    OK


    So my company has users with no mobile phones. So I cannot use an app for 2 factor. I could use yubikey ( I like them ). Some computers on a domain and some are not so SSO would have to be optional. Suggestions?

  11. timewash902

    I don't think it should be called dumb when Google prompts for you a code after your password. That is, in fact the second step in verification.

  12. minke

    What is really bad is that using 2SV or 2FA can lock you out of your free Google account forever with no recourse other than automated forms and responses, which do not always work correctly. Many people have lost all of their email, photos, docs, etc. It almost happened to me and I had every alternate method set up: backup email, phone number, authenticator app, one-time passcodes. But, Google in its infinite wisdom would only send a code to an old phone number I no longer had access to. It wouldn't use any of the other authentication methods. To add insult to injury I was logging in from my own home on a Chromebook too! If 2SV and 2FA can lock you out they need to provide reliable ways to get back in no matter what.

  13. bluvg

    "Google has been a bit slower."


    I'm not sure they are less committed. They make their own FIDO/U2F keys, for example, and Microsoft's support for their own products is great in some areas (O365), absolutely abysmal in others (RDP, for example).

  14. mattbg

    On passwordless authentication in general, one annoyance I'm having at the moment is that anytime someone tries to hack my Microsoft account, I get a request to authorize that request.


    I've had two or three in the last few days.


    I guess it's good to know that someone tried to login to your account, but it's only a matter of time before I click "approve" on one of these by mistake or when it happens concurrently with my own attempt to login :)

    • bls

      Agree it's a low-probability high-risk issue, but on most Microsoft Account logins, the client is also identified by a 2-digit number that is displayed on the client device, and listed as one of 4 possibilities on the Authenticator app.


      You need to pay enough attention to this to make sure to tap the correct value, which further reduces the possibility of your death-knell scenario happening.


      That said, not all Microsoft apps and services implement this yet, so it's too early to take a really deep breath.


      There's always something!

    • bluvg

      You might want to try something like a Yubikey. No need for an authenticator prompt or worry about inadvertently approving a malicious request (MFA fatigue error). Less hassle and more secure to boot, and they're not expensive.

  15. crunchyfrog

    Google should adopt Steve Gibson's Secure Quick Reliable Login (SQRL)

    • bschnatt

      Agree. I'm surprised no one is using this (as far as I know), or talking about it. I've been following Security Now for years and Steve (and others) have put a tremendous amount of work into that...

      • IanYates82

        It's a nice idea.


        It took too long to get developed. Great that it's tight, and done in assembler, etc. But that caused a super long lead time and makes it hard for others to build on the main client, or to even poke around.

        The explainer docs are wonderful of course.


        Others have implemented clients for other platforms. That's good.


        But I think the password managers, and second factor apps, got more of the mindshare unfortunately

  16. irob

    Forget about Authenticators (Google or Microsoft).

    The problem described by the author is true.

    You can access your Microsoft account without a password and without any authenticators. You just approve the access from a logged in account on your phone. Just approve.

    With Google however you NEED to remove the 2fa to reach their passwordless access system.

    Which will make the account accessible only by a password (without any 2FA).

    WTH?

    Why would you remove the 2fa (if you access with password) in order to access via passwordless system?

    Microsoft does not do that: if you use the password you will still need to use a 2fa. Which is much more secure. And logical!

Leave a Reply