Google levels up security at I/O with secure comms tool, better authentication

Google targeted people's growing digital insecurity at its I/O developer conference this week with a number of new products that aim to protect communications and improve authentication.

Project Vault is a new hardware device created by Google's Advanced Technology and Products (ATAP) lab for people who need the absolute highest security for their communications. The device, which is packed in the form factor of a MicroSD card, is designed to provide encryption for sensitive data at rest, and allow end-to-end protection of streaming data (including streaming video) as well. The Vault card contains its own antenna, processor and operating system, which means that the device can authenticate directly with the Project Vault servers without requiring the use of other potentially insecure hardware.

The Vault hardware runs a special operating system called ARTOS that's focused on security. The chip comes with a bunch of cryptographic goodies built in, including support for signing, hashing and a hardware random number generator. Peiter ".mudge" Zatko, the leader of Project Vault, showed off an encrypted chat session between two Vault users on Friday.

Both users were able to see what the other was saying in plain text, but the server running the chat session between the two wasn't able to decode their conversation. Project Vault handled all the setup, and not even the users were able to see the private keys used to generate the encrypted session.

Like the rest of ATAP's projects, it's not clear if or when Vault will be making its appearance as a consumer product. Right now, the device is being used in a small 500-unit pilot program inside Google for security purposes, and ATAP is building a product for enterprise users. At a time when more people are concerned about security of their information and communications, the need for something like Vault is readily apparent.

Starting with the launch of Android M in the third quarter of this year, developers and manufacturers will be able to take advantage of system-level support for fingerprint sensors for things like unlocking phones, securing applications and making payments with the new Android Pay technology. It's a move that should make it easier for Android devices to sport the same sort of technology that powers Apple's Touch ID on the iPhone. Some Android device makers like Samsung have already begun using fingerprint sensors, but the new features in M will make it easier for developers to work with that hardware.

The company's ATAP lab has also been working on a pair of initiatives aimed at improving security in the long term. The first, called Project Abacus, is designed to do away with a reliance on passwords by using a variety of factors to determine whether a user is who they say they are.

A login screen using Abacus demonstrated in a video shown at I/O measured and scored a variety of factors, including a user's location, face, voice, typing pattern, connected Bluetooth devices and password. If those scores met an acceptable threshold, the phone could be programmed to unlock for the right person, but when someone else tried to log in, they would be rejected.

Abacus is a step above fingerprint detection and other biometric security measures, since it doesn't just rely on one method of authentication that could be spoofed. According to ATAP head Regina Dugan, Abacus is 10 times as secure as a fingerprint.

Google also unveiled a new Identity Platform on Thursday that will allow developers to automatically retrieve passwords stored with Google's Smart Lock password locker on Android and Chrome to instantly authenticate with websites and apps. It's a move that should make it easier for people to use complex passwords, since they won't have to worry about typing them out or having to find, copy and paste them when it comes time to log into a service.

Google's security plans may be complicated by the current political climate. Law enforcement agencies around the world have been pushing for laws that require tech companies build back doors to give them access to encrypted communication products. David Cameron, who recently won re-election as the prime minister of Great Britain, has said that his government would push for such laws.

Blair Hanley Frank

Zur Startseite