New startups looking for ways to keep their users secure should know one thing, a top Google security executive said Tuesday: "Passwords are dead."
Speaking on a TechCrunch Disrupt panel called "Spies Like Us," Heather Adkins, Google's manager of information security, told moderator Greg Ferenstein that in the future, the "game is over for" any startup that relies on passwords as its chief method to secure users and their data.
Adkins, speaking alongside Kleiner Perkins Caufield & Byers managing partner Ted Schlein and author James Bamford, said that looking ahead, "our relationship with passwords are done," and that "passwords are done at Google."
She talked briefly about Google's use of two-step authentication and the fact that the search giant has been working to innovate in the area of non-standard password security. As a result, she said, any startup that still relies on standard passwords needs to ensure that it has an abuse team set up to deal "with customers getting compromised."
Although Adkins didn't offer any real specifics on how Google will innovate beyond today's security, she did say the company is experimenting with hardware-based tokens as well as a Motorola-created system that authenticates users by having them touch a device to something embedded, or held, in their own clothing. "A hacker can't steal that from you," she said.
Later in the conversation, which also touched on the NSA scandal, cybersecurity, and the weaponization of offensive cyber technologies, Adkins pointed out that hackers intent on making money from their bad acts had consistently found ways to exploit Google users who had yet to turn on two-factor authentication. Essentially, she explained, hackers were able to get into such users' accounts, turn on two-factor authentication themselves, and lock the users out before utilizing those accounts to send spam. "They are finding new ways to make money off it," she said. "Ways we hadn't anticipated."
Finally, Adkins argued, technology companies need to step up and build products that protect users so "they don't rely on not getting fooled." Ultimately, she said, anyone starting a new technology company should be sure that one person is designated to focus on security and privacy, and that one of the first 25 employees should work full time on security and privacy.