Authentication at Scale

Eric Grosse
Mayank Upadhyay
IEEE Security and Privacy, 11(2013), pp. 15-22


In working to keep cloud computing users' data safe, we observe many threats---malware on the client, attacks on ssl, vulnerabilities in web applications, rogue insiders, espionage---but authentication related issues stand out amongst the biggest. When trying to help hundreds of millions of people from an unbelievable variety of endpoints, attitudes, and skill levels, what can possibly displace plain old passwords? No single thing, nothing overnight, and nothing perfect. A combination of risk-based checks, second-factor options, privacy-enhanced client certificates, and different forms of delegation is starting to find adoption towards making a discernible difference.