Fresh off internal success, Google suggests new ID tech for payments

A computer plug-in has proven to be an effective authentication tool for Google's 50,000 employees, sparking endorsement for broader use in contactless technology, including payments.

Google deployed Security Keys, a dongle based on specs from The Faster Identity Online Alliance (FIDO), within its company to help determine how the two-step verification process could potentially operate for the more than a billion users on Chrome browser and Google's consumer-facing Web applications.

"Our two-year deployment and its analysis provide clear confirmation of how well FIDO's approach is suited to making stronger authentication more usable," Google stated in a blog posted Dec. 7 on the FIDO Alliance site.

Tony Avelar/Bloomberg

Google suggests the Security Keys' underlying protocols could also be used through Near Field Communication (NFC) and Bluetooth Low Energy technology, thus use cases could expand beyond workplaces and into payments security.

But that type of transition is not automatic, said Julie Conroy, research director and fraud expert with Boston-based Aite Group.

"With employees, you have a relatively small, captive audience, who really have no choice but to embrace the use of a dongle in order to get their job done," Conroy said. "However, I’m a bit skeptical when it comes to expanding it to a mass consumer authentication use case."

The payments and security industry has seen "time and again" that requiring a separate piece of hardware for consumer authentication is a non-starter, Conroy added. "While this also has the ability to be used via NFC or Bluetooth, that requires that both ends of the transaction are NFC and/or Bluetooth capable, and in the case of Bluetooth, that the consumer has the Bluetooth on their device turned on."

Earlier this year, FIDO began the move toward advancing its certified authentication technology into the payments realm through a working relationship with EMVCo, the EMV standards body, with the focus on device authentication in mobile payments.

For now, Security Keys represents a "great approach to employee security," but technology developers will have much more to think through before it is workable for mass-market consumer authentication, Conroy said. Currently, it works only with Chrome browser.

In the work setting, employees use the Security Key dongle in a computer USB port to establish verification through cryptographic code previously registered to a user account, rather than typing in a password and then receiving and sending a verification code back from a smartphone to access a site.

Essentially, Security Keys cryptography is designed to automatically work on a specific site, thus thwarting phishing attempts in which attackers set up look-alike sites in order to steal verification codes being sent via phones.

In a different twist on the concept, e-commerce companies have been developing a virtual key, or virtual secure element, to protect transactions. Such a trend would accelerate security measures on cloud-based payments, digital identities technology and diminish hardware needs through mobile security software.