Secure Online Identities with Google’s New Recommendations

Organizations will continue to struggle with identity- and authentication-related attacks. Google recommends three actions you can take today.

security-credentials

Published by the FBI, the IC3 Report 2022 states that losses incurred due to internet crimes have exceeded USD 10.3 billion, which is a 49 percent increase from 2021. While the attack surface expansion is skyrocketing, Google’s prediction for 2023 that ‘identity and authentication attacks will remain a constant threat’, is far from a relief.

According to Heather Adkins, VP of security engineering, at Google:

“Organizations will continue to struggle with identity- and authentication-related attacks, where relatively unsophisticated threat actors are able to purchase credentials in the underground or con their way into the organization. As a result, platform makers will be pressured to help consumers and enterprises defend against malware that steals those credentials.”

Identities expand far beyond humans and extend deep into the infrastructures of organizations. These are machine identities that include devices such as computers, servers, networking, mobile, IoT, and workloads such as cloud services, applications, containers, DevOps, and others. Digital certificates use cryptography and a public key and serve as proof of a machine’s authenticity with a strong identity and help establish and extend trust during communication.

According to the 2022 Trends in Securing Digital Identities report from the Identity Defined Security Alliance (IDSA), 84 percent of enterprises have experienced an identity-related breach in the last year with 78 percent citing a direct business impact. Google’s proposal to reduce TLS lifecycle validity to 90 days, announcement of replacing passwords with cryptographic keys or ‘passkeys’, and changing the conventional HTTPS padlock icon to the new ‘tune’ icon hint at the organization’s initiative to boost identity-first security, shield against the growing identity and authentication attacks and improve browser awareness among billions of users worldwide.

Let’s deep dive into these critical security measures embraced by Google in 2023.

1 Replacing passwords with ‘passkeys’

Starting from May 3, 2023, passkeys, a new cryptographic keys solution requiring a pre-authenticated device, is available for Google accounts across all major platforms, marking the company’s next move towards a password-free future. Google users can switch to passkeys and sign in without a password or two-step verification code. Passkeys are being promoted by Google, Apple, Microsoft, and other tech companies affiliated with the FIDO Alliance as a safer, more useful alternative to passwords. They can replace traditional passwords and other sign-in procedures like 2FA or SMS verification with a local PIN or a device’s built-in biometric authentication, such as a fingerprint or Face ID. Since there is no password that may be stolen in a phishing attack, this biometric data isn’t shared with Google (or any other third party), and passkeys only reside on user devices, which offers greater security and protection. Accordingly, you don’t need to be as cautious about where you use passkeys as you would be about using passwords, SMS verification codes, etc. There is no risk of using the same passkey for several services because each passkey can only be used for one account. This means that your Google Account is safe from data breaches across your other accounts, and vice versa.

Passkeys are a more secure form of authentication than passwords since they employ public key cryptography. Your device will generate a pair of keys when you register for a new account using a passkey: a public key that is shared with the service and a private key that is securely stored and locked behind your biometric information or a PIN. Support for passkeys by Google in its products is a significant step towards the widespread adoption of passwordless authentication mechanisms. Passkeys were first supported by Apple on the iPhone with iOS 16 and will be supported on Macs with macOS Ventura later this year.

Call-to-Action: Password vulnerabilities and an upsurge in credential-based attacks necessitated the development of a new, password-free authentication method. This is where passwordless verification comes into play. As the name implies, passwords are entirely eliminated from the authentication procedure. To authenticate people and devices, it instead employs safer, more transient methods such as biometrics, and public key infrastructure (PKI), i.e. digital certificates and cryptographic keys, as employed by Google in the form of ‘passkeys’. Digital certificate-based authentication and PKI have proven to be an effective method especially as the number of machine identities has surpassed the number of human identities. With a password-free future, the call-to-action here is to get acquainted with passwordless authentication mechanisms and switch to PKI-based authentication for governance, scalability, crypto-agility, efficiency, and cost savings.

2 Replacing the HTTPS padlock sign with a ‘tune’ icon

Millions of consumers believe that a website is safe and reliable when they see a padlock icon in the URL bar. But that’s going to change; Google Chrome declared on May 2, 2023, that the padlock icon in Chrome version 117 will be removed starting in September 2023. However, this shift doesn’t mean Google no longer values HTTPS; on the contrary, it means the opposite. Google expects that all websites will be HTTPS by default. The lock icon does not imply website trustworthiness, it only indicates that the connection is established via a secure protocol. The lock icon offers users a false sense of security since they wrongly assume that the website is safe and hence trust the website they are visiting. This misconception is harmful as phishing and malware sites also use HTTPS and therefore display the lock icon. The announcement from the Chrome Security Team guarantees that the browser will keep labeling insecure websites with “insecure” tags.

According to Google’s research in 2021, only 11 percent of users correctly understood the precise meaning of the lock icon. This is why Google decided to replace the age-old lock icon with the new ‘tune’ icon, which “does not imply ‘trustworthy’, is more obviously clickable, and is commonly associated with settings or other controls.” Google’s official announcement states “Replacing the lock icon with a neutral indicator prevents the misunderstanding that the lock icon is associated with the trustworthiness of a page, and emphasizes that security should be the default state in Chrome. The new ‘tune’ icon will be displayed both on the desktop and Android versions of Chrome and on iOS, the padlock icon, which is not clickable, will be removed entirely. 

Call-to-Action: Users frequently interpret the lock icon incorrectly, believing it to signify a safe website rather than a secure one. Secure means that your data is transmitted safely over an encrypted connection. It isn’t secure or reliable, though, unless you are aware of the verified identity of the entity using the other end of the connection. Safe implies that you are confident in the verified digital identity of the entity and that you can trust them to handle your data with care. The certificate authority (CA) that issues the SSL/TLS certificate for the website performs this identity verification. However, stating that a website uses HTTPS on its own doesn’t signify much given that almost anyone can obtain a domain validation (DV) SSL/TLS certificate. To demonstrate that a website is secure, safe, and trustworthy, there needs to be something extra to offer an additional layer of security and verification.

Asserting your digital identity on your website using organization validation (OV) or extended validation (EV) SSL/TLS certificates will therefore be more crucial than ever. Businesses are having to deal with phishing scams, email spoofing, and other fraud-related problems more frequently. The call-to-action here is to increase awareness about what you should and should not trust and that organizations must use trustworthy digital certificates that provide a verifiable digital identity as the industry moves towards HTTPS as the default.

3 Reducing TLS lifecycle validity to 90 days

On March 3, 2023, Google announced a proposal called “Moving Forward, Together,” outlining some of the important policy changes it aims to implement in future versions of its Chrome Root Program in an effort to strengthen Internet security. Google aims to reduce the maximum validity period for public TLS certificates from 398 days to 90 days as one of the main policy changes to encourage secure contemporary infrastructures and agility. Given Google’s market dominance, all public certificate authorities (CAs) will need to standardize on 90-day certificates.

This is not the first time that certificate expiration dates have been reduced. Over the last decade, lifespans have steadily decreased from five to two years, and finally to the present maximum validity of thirteen months. Along with enforcing a 90-day lifespan, Google recommended limiting the domain validation reuse term to 90 days. This means that organizations must not only renew their certificates every 90 days but also re-verify their domains.

Call-to-Action: With a three-month validity term, public TLS certificates will need to be renewed not once, but four times a year! While renewal is not inherently difficult, manual operations at scale are. If a TLS certificate expires, the internet-facing application/website will not be secure, trusted, or in some cases accessible – causing a service outage, as Starlink faced recently, and potentially worse, an insecure attack vector. It is best practice to refresh certificates and keys frequently in order to ensure a strong security posture. This includes renewing and reissuing certificates frequently. The call-to-action here is to automate certificate lifecycle management, which can simplify and modernize all of the operations involved, including discovery, enrollment, provisioning, renewals, and revocations. Automation eliminates the need for human intervention, increasing employee efficiency and lowering the risk of certificate related outages and data breaches dramatically.

As digital transformation and agile DevOps processes continue to increase the need for machine identities, it’s clear that an identity-first security approach is necessary to achieve zero trust. These changes proposed by Google support aim to promote a stronger security posture while supporting how organizations deliver applications and interact with customers. With more sophisticated cyberattacks on the rise, organizations must implement best practice for identity and access management. And, that means putting a focus on both human and machine identity management to keep your organization protected from the edge to the core of your business.

Christian Simko

Christian Simko is vice president of product marketing at AppViewX, a platform that aligns cross functional teams with self-service workflow orchestration to accelerate and optimize application delivery with security and compliance built-in.

Christian Simko is vice president of product marketing at AppViewX, a platform that aligns cross functional teams with self-service workflow orchestration to accelerate and optimize application delivery with security and compliance built-in.