Heather Adkins is the very definition of an IT security expert. Google’s director of information security and privacy joined the web giant 15 years ago as the first person on its security team.
And she doesn’t believe in passwords.
“If you look at the average consumer, they have multiple online accounts, each one has different requirements for setting your passwords, they have to be eight characters and they have to have upper case letters, symbols and we’ve made it very complicated for users,” she told Business Insider during a visit to Sydney.
“To the point where actually, there’s a good chunk of the security industry that now recommends writing them down so that you can remember them all.”
Adkins is convinced is that a password-less society is what technology should aim for, and good progress has already been made on that front with complementary alternatives like physical tokens, text message authentication and biometrics.
“The idea that we create an ecosystem for better authentication for all users. That way we’re moving towards this world where the password is irrelevant and you have these other factors that help you authenticate,” she said.
“The death of the password is, I think, a very, very long ways off. But we’ve hit some really big milestones in changing the way we think about the user and the relationship to the machine and how we identify ourselves to one another.”
In recent years, cybercriminals have become increasingly sophisticated in devising “social engineering” tactics to get users to reveal their passwords voluntarily. An example is cold calling into an office and pretending to be IT support.
Adkins’ team has been working on eliminating passwords for “six or seven years” to combat this gullibility, which dupes Google employees just as much as others.
“It’s [really] easy to trick users to giving it over,” she said.
“If you have a well-constructed social engineering attack, users will almost always hand it over. And we know this of Google employees as well.”