Like many in the industry, the authors believe passwords and simple bearer tokens, such as cookies, are no longer sufficient to keep users safe. Google employs a base level of sophisticated server-side technologies, such as SSL and risk analysis, to protect users with plain old passwords; however, it's also investing in client-side technologies, such as strong authentication with two-step verification using one-time passwords and public-key-based technology, for stronger user and device identification. It's championing various approaches to access delegation, both in its applications and with third parties, so that end user credentials aren't passed around insecurely.

Authentication, Servers, Privacy, Electronic mail, Computer security, Access control, Passwords, delegation, authentication, passwords, second factor, OAuth

Eric Grosse, Mayank Upadhyay, "Authentication at Scale", IEEE Security & Privacy, vol.11, no. 1, pp. 15-22, Jan.-Feb. 2013, doi:10.1109/MSP.2012.162

1. J. Fallows, “Hacked!,” The Atlantic, Nov. 2011; www.theatlantic.com/magazine/archive/2011/ 11/hacked308673. 2. “Tennessee Man Convicted of Illegally Accessing Sarah Palin's E-mail Account and Obstruction of Justice,” Dept. Justice, 30 Apr. 2010; www.justice.gov/opa/pr/2010/April10-crm-509.html . 3. M. Honan, “How Apple and Amazon Security Flaws Led to My Epic Hacking,” Wired, 6 Aug. 2012; www.wired.com/gadgetlab/2012/08apple-amazon-mat-honan-hacking . 4. K. Bhargavan and A. Delignat-Lavaud, “Web-Based Attacks on Host-Proof Encrypted Storage,” Workshop Offensive Technologies (WOOT 12), Usenix, 2012; http://moscova.inria.fr/~karthik/pubshost_proof_woot12.pdf . 5. F. Pesce, “Lessons Learned from Cracking 2 Million LinkedIn Passwords,” Qualys Security Labs, 8 June 2012; https://community.qualys.com/blogs/securitylabs/ 2012/06/08lessons-learned-from-cracking-2-million-linkedin-passwords . 6. K. Stevens and D. Jackson, “Zeus Banking Trojan Report,” Dell SecureWorks, 11 Mar. 2010; www.secureworks.com/research/threatszeus . 7. “Ensuring Your Information Is Safe Online,” Google Official Blog, 1 June 2011; http://googleblog.blogspot.com/2011/06ensuring-your-information-is-safe.html . 8. J. Fallows, “Gmail's 2-Step Verifications: Some FAQs,” The Atlantic, 9 Aug. 2012; www.theatlantic.com/technology/archive/2012/ 08/gmails-2-step-verification-some-faqs 260934. 9. M. Dietz et al., “Origin-Bound Certificates: A Fresh Approach to Strong Client Authentication for the Web,” Usenix Security Symp., Usenix, 2012; https://www.usenix.org/conference/usenixsecurity12 origin-bound-certificates-fresh-approach-strong-client-authentication . 10. B. Laurie, A. Langley, and E. Kasper, “Certificate Transparency,” Internet Engineering Task Force, 29 Nov. 2012; http://tools.ietf.org/htmldraft-laurie-pki-sunlight . 11. D. Hardt, “The OAuth 2.0 Authorization Framework,” Internet Engineering Task Force, 31 July 2012; http://tools.ietf.org/htmldraft-ietf-oauth-v2 .