Google has come out with two new security changes that, though flying under the radar, signify a fundamental shift in how people approach trust in enterprise environments. We are excited to see the beginnings take root in a company like Google, as it aligns directly with Ping's vision for a world of federated identity.
Based on what we've seen so far, Google is rolling out a change to its login process that separates the prompts for username and password, so users type in their credentials on two separate pages instead of on one shared page. Additionally, Google has adopted a new approach to enterprise security, dubbed BeyondCorp. (revealed publicly by The Wall Street Journal) that assumes its internal network is as dangerous as the Internet, and relies solely on device and user credentials regardless of employee location. Employees will use single sign-on and dynamic authorization that changes as the need for specific people to have access to specific resources changes over time.
With these changes, we are seeing a crack in the bedrock of security that will break the industry's reliance on passwords and hasten the adoption of ubiquitous federated single sign-on. Corporate networks are no longer capable of being protected with passwords and firewalls. They require security measures that support high levels of complexity and enable more flexibility and mobility. This aligns with the vision and goal of Ping Identity to bring improved security and accessibility to the enterprise, regardless of the device or network an employee is using. We are heartened to see such strong validation of that mission through Google's updates.
An Era Beyond the Passwords of Today
The password paradigm has been broken for a long time, and the move to mobile and the cloud has only exacerbated the problem. Yet companies have struggled to move beyond the single-password-per-account model. Now, Google is nudging consumers into a new mindset and the separation of the identity account from the authentication factor is just the first step in that process. It breaks the perception that every login requires entering a password.
Google is already progressing down this path by using the Account Chooser capability from the OpenID Foundation that makes subsequent sign-ins easy by remembering different accounts accessed on a specific device. You'll recognize this if you have, for instance, a personal Gmail account and a work Gmail account and if your friend also logs in to her account on your device. It's incredibly convenient. In the new identifier first design, the user selects a login account and is then directly prompted only for a password or other authentication without re-prompting for a username.
Separating the identity account (username) from the password in the authentication process allows Google and others to provide stronger security for people across different accounts, different apps and different devices. It also better accommodates additional types of authentication mechanisms that don't require passwords, such as two-factor and even three-factor (such as biometrics). This idea is not new. Ping has been providing it for years -- my work account is federated via PingOne so I'm already authenticated when I go to my Google account and don't have to type in my password again. SaaS vendors also have enabled it for mobile apps, and banks, whose customers are prime targets for phishing schemes, rely on it. But with Google, it's going mainstream.
We're not going to see the password disappear immediately, but we're seeing the evolution of the industry such that the password is no longer necessary on login screens. This is an interim step leading to a radical change and a future of simpler and more secure access to data and resources no matter what device you use and what network. We don't know what types of stronger authentication forms there will be in the future, but now we'll be ready for them.