Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Google AI Android

Google Plans To Bring Password-Free Logins To Android Apps By Year-End (techcrunch.com) 109

An anonymous reader shares a report on TechCrunch: Google's plan to eliminate passwords in favor of systems that take into account a combination of signals -- like your typing patterns, your walking patterns, your current location, and more -- will be available to Android developers by year-end, assuming all goes well in testing this year. In an under-the-radar announcement Friday afternoon at the Google I/O developer conference, the head of Google's research unit ATAP (Advanced Technology and Projects) Daniel Kaufman offered a brief update regarding the status of Project Abacus, the name for a system that opts for biometrics over two-factor authentication. With Project Abacus, users would unlock devices or sign into applications based on a cumulative "Trust Score." This score would be calculated using a variety of factors, including your typing patterns, current location, speed and voice patterns, facial recognition, and other things.The Trust API will be available to developers, who can then implement that into their apps. The company says that developers will have the option to adjust the threshold required for a trust score.
This discussion has been archived. No new comments can be posted.

Google Plans To Bring Password-Free Logins To Android Apps By Year-End

Comments Filter:
  • Luddite here (Score:4, Insightful)

    by liqu1d ( 4349325 ) on Monday May 23, 2016 @12:57PM (#52165995)
    What on earth is wrong with two factor authentication? I can't see these being more secure.
    • Re:Luddite here (Score:5, Insightful)

      by Calydor ( 739835 ) on Monday May 23, 2016 @01:00PM (#52166011)

      In fact they will be extremely troublesome.

      Typing or voice patterns? Oh so sorry, you have a headache or the flu, your pattern has shifted enough to not be recognizable. Walking patterns? Too bad about that broken leg after your ski trip, you're locked out of your phone for three months or more.

      • Re:Luddite here (Score:4, Insightful)

        by JackieBrown ( 987087 ) on Monday May 23, 2016 @01:44PM (#52166339)

        Yep - I'm sure no one at Google thought about this. You should email them quick!

        • I'm not even sure Google knows what email is!

        • Re:Luddite here (Score:4, Insightful)

          by Jane Q. Public ( 1010737 ) on Monday May 23, 2016 @09:28PM (#52169071)

          Yep - I'm sure no one at Google thought about this. You should email them quick!

          What, you think Google is magic, or prescient?

          Google has had A LOT of bad ideas. And went on to implement them, only later to realize they were bad ideas.

          The thing about Google is that it (or Alphabet) is big enough that it can afford such failures... no matter how much it costs the rest of us.

        • These people made Google+. I wouldn't be surprised if they did think, but don't give a shit.
        • by allo ( 1728082 )

          Google has no public support mailaddress. All you get is to browse their help system with some superficial articles and some feedback button to the article, if you're lucky. Sending e-mail, even about scam in the chrome store or similiar, is just not wanted by them.

      • by Anonymous Coward

        Don't even need an exotic ski trip. Your gait is significantly impacted by moderate alcohol consumption, as is your typing and other motor skills, your vocabulary, and pretty much every other faux-biometric pattern. I just can't wait for the day when I have a few drinks and then can't login to Uber for a ride because Google says "nope, it's not really you!" This all seems like an answer in search of a problem, what the hell is so hard about a password? My phone remembers those for me if I ask it to, even wh

        • Although that could help prevent drunk dialling an ex
        • Right... I guess you've never been so drunk to take more than 10 tries to enter your password on a full-sized keyboard. On an on-screen phone keyboard that'd be outright impossible.

          But then, there's a difference between three beers vs a liter of vodka shutting you out of your authentication.

      • by piojo ( 995934 )

        Oops, we don't recognize your typing. And despite the fact that this problem hasn't happened at all in the past year, we're sure you remember your password. :)

    • Relatively few users will voluntarily use two-factor authentication. Users are uniformly angry when forced to adopt two-factor authentication. I guess these alternative technologies would encourage wider adoption of security protocols by the masses.

      • by H3lldr0p ( 40304 )

        And I would argue back that's because people in general are terrible at security. It takes a certain mindset to accept the purpose behind such things, let alone integrate them into anything approaching usefulness.

        • "accept[ing] the purpose" and "not being angry" are two different things.

          If people weren't scumbags, we wouldn't need this (or door locks, etc..).

        • When I used to do locksmith work, it would take me a few seconds to unlock your car or house if you locked the key inside. Customers were happy that I could bypass the security for them.

          Now that I work in information security, most people seem to think something is horribly wrong if I'm able to bypass the security.

          There is an appropriate level of security for each use case. Neither your apartment nor your Slashdot account needs to be an impenetrable fortress that even the CIA can't get in to . Sometimes,

          • On the other hand, if the CIA (or any other Federal or local organization, whether related to law enforcement or not) wishes to come into your house, the following are typically true:

            (1) You know about it.
            (2) It costs them a *significant* amount of money (have to pay the people to go out and knock on / bust down your door).
            (3) There is huge risk of negative PR for them if they don't find what they're looking for.
            (4) They need a warrant from a judge.
            (5) Because of all the above, they have to be pretty darn s

          • When I used to do locksmith work, it would take me a few seconds to unlock your car or house if you locked the key inside. Customers were happy that I could bypass the security for them.

            Now that I work in information security, most people seem to think something is horribly wrong if I'm able to bypass the security.

            There is an appropriate level of security for each use case. Neither your apartment nor your Slashdot account needs to be an impenetrable fortress that even the CIA can't get in to . Sometimes, convenience does trump security.

            that's why I used to use a three password system. One simple alpha password for accounts that don't matter and then a beta and gamma passwords for sort of secure and really secure accopunts respectively and then a delta password for my email. Nowadays I use a Password Manager [keepass.info] and Two Factor Authentication [authy.com] for every place that allows it. [twofactorauth.org] I use KeePass because while I'm pretty careful I wasn't help with the security of a 3+1 password system nor the flexibility such as the fact that I tended to use Alpha for

          • by rtb61 ( 674572 )

            There is a way to bypass password security and remain secure. This can be done via localised password applications and an accepted password protocol. Basically you use a local application with one password to create the password required to access the remote site. So in future that site sends a request for your password and you either allow to block your local password app from sending the password (which can of course be extremely long and complex and even rotate from access to access by handshaking with

        • And I was agreeing with you. The question is whether you howl at the moon or you devise another method that might be easier to adopt.

      • by Alumoi ( 1321661 )

        Hmm, let's see: in order to log in you must:
        1. enable location tracking
        2. type a certain phrase taking care not to deviate from the previous n times
        3, dance a jigga, using the same moves you used the previous n times
        What on Earth could go wrong?

        • Now I have a reason to turn to Windows Phone or iOS, because not very far in the futures, any effing app in Android will demand access to my location data, walking patterns, and other such rubbish to allow me to use them.
          • Can't someone just create an app to make your phone send bogus location data? Then you can plot points in the middle of the ocean or some foreign city and have different locations for different apps.

            For me, any app that needs to know where i am other than a map program just doesn't get installed or used. I'm likely not alone in that either.

            • by Alumoi ( 1321661 )

              So you don't do skype, whatsapp and don't browse the web on your Android device, right? And you must have also removed the Google Play services.

              • No, i don't have any of that on my phone. I do have play services installed and do not know how to uninstall it. My GPS is disabled, i have set Google services to not use it. And don't surf with chrome. (I use dolphin primarily )

                Now the phone does try to pin a location down by IP address. But my provider uses a proxy and if i don't search for something specific by city state, it will suggest towns 3 or more states away.

                I'm by no means 100% effective at stopping them from getting or using my location but i

    • If hackers can break into one database & get your name, number, SSN, password, credit card, etc, I don't think they'll have much trouble breaking into two.

      If the companies even separate they authentication hashes on the back end.

    • Re:Luddite here (Score:5, Informative)

      by 93 Escort Wagon ( 326346 ) on Monday May 23, 2016 @01:24PM (#52166181)

      What on earth is wrong with two factor authentication? I can't see these being more secure.

      The problem is - Google can't collect more information on you when you're using traditional two-factor authentication. With this new technique, on the other hand, Google will hopefully cut down on the pesky number of users who intentionally disable Google's monitoring when they aren't actively using Google's apps. To collect information on your walking cadence, for instance, they'll need to be able to track your walking constantly.

    • The simple fact that it's a pain in the arse.

      Proving that you are you twice is far more difficult than someone knowing from the onset.

      • What on earth is wrong with two factor authentication?

        The simple fact that it's a pain in the arse.

        You're using it wrong.

        • Then what's the right way?

        • Really? Then do care to explain how adding a second factor of authentication is more convenient than simply having a password, and how it's all so more convenient than a device which simply knows that you are you and doesn't need to actually bug you to prove it.

          The fact that authentication is a PITA, 2-factor even worse so is precisely what has lead the rise of ultra simple logins (pin, pattern, look in the camera, or don't take your finger off the button).

    • What on earth is wrong with two factor authentication? I can't see these being more secure.

      Exactly.

      What happened was that someone at Google decided two factor authentication wasn't complicated or cool enough, and came up with a "better" *cough* way to solve a problem that's already been solved. Plus it'll give them an excuse to gather even more data on you.

    • I'm not sure what your objection is about. It looks like this is a form of multi-factor authentication. The 2FA du jour is to either send an SMS or have an encryption key on your phone-- in both cases, the second factor is your phone. So you can't use that 2FA for signing into your phone.

      So what's the solution that you'd like?

    • Because Google wants to know more about you for tracking purposes and other business ideas.
  • ....now they want me to start using authentication that assumes that I keep my same physical abilities all my life.

    HAHAHAHAHAno.

    • It sounds like this biometric-based "trust score" will just be an additional verification factor... So I am not sure why they are saying it is going to replace 2nd factor.... it will BE the second (or third) factor...

      Also, being a second factor implies that this will not unlock your device by itself... it will just be an additional "verification" on your unlock method... like: I see that you got the unlock dot sequence technically correct, but you did it in a swiping style that is inconsistent with all your

  • Well, awesome.. My "password" to everything will be my couch. Guess it's fitting that would be the key to my online world, it's already the key to my real life one.
  • by the_skywise ( 189793 ) on Monday May 23, 2016 @01:13PM (#52166099)

    Good luck getting that to work when you're drunk and trying to order up an Uber.
    "I need -hic- whoa I need a uber to get home"
    UNAUTHORIZED USER
    "No like really man, open up and order me a..."
    UNAUTHORIZED USER
    "Oh fu...fu... fine... hic... Oh wait"
    UNAUTHORIZED USER"
    "SHADDUP THAT WASN'T AN ATTEMPT"
    UNAUTHORIZED USER
    "wait wait... my voice is.. my passport, verify me?"
    UNAUTHORIZED USER
    "FUG YOU... Ima just gonna llie down on this soft concrete now..."
    "Oh dude... check out this guys awesome phone, grab it!"
    User accepted, have a nice day.
    "sweet!"

  • "The company says that developers will have the option to adjust the threshold required for a trust score."

    My bank will set the threshold at MaxScorePossible+2

    I've given up on online banking as they use a 3rd party program which requires a bank-generated login name and account key, plus an extensive password requirement list, and a 30 day login timeout (if you don't login every 30 days or less you have to go to a branch to have login and key reset, and a new password issued. Via snail mail).

    • by afidel ( 530433 )

      Simple solution:get a new bank, or better yet if you're in the US a credit union. Then again I deal with two of the largest banks in the world (BoA and Wells Fargo, both through acquisition of other banks) and they have no problem doing online banking correctly.

    • But I hope they also have a second channel for verification of login or transation, like sending you an SMS with the amount transferred and the target account number along with a one time pin to sign the transaction, right?

      If not, tell them their security theater is worth less than the TSA goons at the airport. And they're already worse than useless.

  • The use of walking pattern as an identity feature has been tried by a few people. Some of the first research on this was done by Ari Trachtenberg and his students at Boston University. I remember being very impressed when they presented the basics and found the idea of using the accelerometer to measure how one was walking to be pretty neat. They were careful to emphasize that it wasn't by itself ideal or unique identitifier. So in this context, combining it with other signals makes a lot of sense.
  • Google: Let's just try all kinds of shit and see what works and what doesn't.
    Apple: We're not going to tell anybody what we're doing until it's perfect and may kill it before release.

    They are two competitors with very very different approaches. I can't wait to see how this plays out in the long term! More entropy? Or less?

  • by joe_frisch ( 1366229 ) on Monday May 23, 2016 @01:34PM (#52166279)

    So they want a technology that can accurately identify me by all sorts of unconscious traits. This would make any form of anonymity impossible.

    I completely understand why Google wants this - collecting and selling information is their business model. I don't understand why *I* as a customer would want it.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      You aren't the customer in this scenario. You are the product!

    • by Anonymous Coward

      This would make any form of anonymity impossible.

      With Android, anonymity is already impossible.
      It's not a bug. It's Android's main feature for Google.

  • What an incredibly stupid way to blow through CPU cycles. Seriously, use my local processing power for things I want, like local search, voice interaction and navigation which can work offline / from cache consistently.

    There is a second HUGE problem with this. Any app can gather sufficient biometrics to falsify a Trust Score. Even worse, unlike say an intentionally malicious app which could just replace your keyboard app and grab passwords by key logging, advertising and other agencies could request litt
  • by thedarb ( 181754 ) on Monday May 23, 2016 @01:58PM (#52166457)

    Do not want. Courts can, and do, compel people to provide bio-metric data, as that is not protected by the 5th Amendment. Only passwords and pass-phrases are protected. Government agencies would LOVE this trend, especially if it became the only form of authentication on your device(s), as they wouldn't need a back door to your encryption anymore. Do not accept this weakening of your security.

  • Seriously? (Score:4, Insightful)

    by SumDog ( 466607 ) on Monday May 23, 2016 @02:03PM (#52166489) Homepage Journal

    This seems horrible in every way possible.

  • Hidden message (Score:2, Interesting)

    by Anonymous Coward

    What Google is really saying is that they're tracking so many user behaviors that you will not be able to hide behind an alias.

  • Oh great, security by any number of diffuse signals you—the user—don't entirely trust and can't functionally verify against either Type I and type II errors [wikipedia.org].

  • As it stands at the moment, Android devices take months to get security and OS updates, if they get them at all. For me, that is, BY FAR, the biggest disadvantage of Android-based devices. Any difficulties or annoyances due to the need to type in a password absolutely pales in comparison to the apparently lax security policies of the Android environment.
  • What problem... (Score:5, Insightful)

    by Dcnjoe60 ( 682885 ) on Monday May 23, 2016 @02:16PM (#52166625)

    What problem is this trying to solve? And more importantly, why is google collecting this specific information about users and once collected, how else will it be used and by whom? Maybe that's why the announcement was "low key." They were hoping it would go unnoticed.

    • Well if we assume (naively) that Google's intent is to make it more convenient and faster for users to unlock their phones, why not just standardize on technology that mimics the iPhone's Touch ID? The same button I press to turn on my screen is simultaneously scanning my finger to determine if I'm the authorized user. That level of convenience (with a fair bit of security, short of someone forcing you to unlock your own phone) is hard to surpass.

      Press button, unlock phone. No typing passwords or PINs, no t

      • (with a fair bit of security, short of someone forcing you to unlock your own phone)

        Ummm... if you enjoy the convenience of logging in with fingerprint scanners, that's fine -- but know that it's not very secure. Nowhere near as secure as a decent password. Nobody needs to force you to unlock your phone. All they need is a copy of your fingerprint, and fingerprints are pretty easy to get.

  • Google still finding innovative ways to lock you out of your accounts.
  • face recognition, nope! normal walking pattern, hell.. unlocking phone to take a selfie.. denied. maybe this is a good thing after all. how about running from a mugger use case? face recognition, tough after a punch to the face running pattern, def not normal calling 911, better hope the phone has emergency dial from locked screen.
  • by TheCarp ( 96830 )

    Since I don't see how these "signals" could be used to reliably product a cryptographic key to unlock the data, seems to me like they are inherently inferior to the password.

    Why take a step backwards technologically from something bad but workable to something unworkable?

  • Are we just saying F*** you to MDM and companies who allocate company owned cell phones to their employees? This is not a problem that needs to be solved.

  • *That* sounds secure. /s

  • ...I need to ... what? Chop a leg off? Move house?

    Sounds like another version of "use something you can't change as a password, rather than as a user id."

  • I want to be able to write rules, so that, if I'm at home (Geo-location) and connected to the wireless, then you only need a simple unlock code.

    If I'm out and about, I want it to be looking for my smart watch before it will unlock, or otherwise a yubikey (NFC).

    If you want to get into my work section of my device you need *all* the above. Bluetooth, NFC and a strong unlock code.

    If you don't have any of this stuff, no unlock. If you fail auth 7 times, full brick. Device destroyed.

    I don't want to reward people who would mug me for my phone, if we got to the point where the devices are a worthless lump without an unlock, then people won't steal from you. Remove the incentive, remove the crime.

  • before you can login to my gmail.

"Inquiry is fatal to certainty." -- Will Durant

Working...