Google Plans To Bring Password-Free Logins To Android Apps By Year-End (techcrunch.com) 109
An anonymous reader shares a report on TechCrunch: Google's plan to eliminate passwords in favor of systems that take into account a combination of signals -- like your typing patterns, your walking patterns, your current location, and more -- will be available to Android developers by year-end, assuming all goes well in testing this year. In an under-the-radar announcement Friday afternoon at the Google I/O developer conference, the head of Google's research unit ATAP (Advanced Technology and Projects) Daniel Kaufman offered a brief update regarding the status of Project Abacus, the name for a system that opts for biometrics over two-factor authentication. With Project Abacus, users would unlock devices or sign into applications based on a cumulative "Trust Score." This score would be calculated using a variety of factors, including your typing patterns, current location, speed and voice patterns, facial recognition, and other things.The Trust API will be available to developers, who can then implement that into their apps. The company says that developers will have the option to adjust the threshold required for a trust score.
Luddite here (Score:4, Insightful)
Re:Luddite here (Score:5, Insightful)
In fact they will be extremely troublesome.
Typing or voice patterns? Oh so sorry, you have a headache or the flu, your pattern has shifted enough to not be recognizable. Walking patterns? Too bad about that broken leg after your ski trip, you're locked out of your phone for three months or more.
Re:Luddite here (Score:4, Insightful)
Yep - I'm sure no one at Google thought about this. You should email them quick!
Re: (Score:2)
I'm not even sure Google knows what email is!
Re:Luddite here (Score:4, Insightful)
Yep - I'm sure no one at Google thought about this. You should email them quick!
What, you think Google is magic, or prescient?
Google has had A LOT of bad ideas. And went on to implement them, only later to realize they were bad ideas.
The thing about Google is that it (or Alphabet) is big enough that it can afford such failures... no matter how much it costs the rest of us.
Re: (Score:2)
Re: (Score:2)
Google has no public support mailaddress. All you get is to browse their help system with some superficial articles and some feedback button to the article, if you're lucky. Sending e-mail, even about scam in the chrome store or similiar, is just not wanted by them.
Re: (Score:1)
Don't even need an exotic ski trip. Your gait is significantly impacted by moderate alcohol consumption, as is your typing and other motor skills, your vocabulary, and pretty much every other faux-biometric pattern. I just can't wait for the day when I have a few drinks and then can't login to Uber for a ride because Google says "nope, it's not really you!" This all seems like an answer in search of a problem, what the hell is so hard about a password? My phone remembers those for me if I ask it to, even wh
Re: Luddite here (Score:2)
Re: (Score:2)
Right... I guess you've never been so drunk to take more than 10 tries to enter your password on a full-sized keyboard. On an on-screen phone keyboard that'd be outright impossible.
But then, there's a difference between three beers vs a liter of vodka shutting you out of your authentication.
Re: (Score:2)
Oops, we don't recognize your typing. And despite the fact that this problem hasn't happened at all in the past year, we're sure you remember your password. :)
Re: (Score:2)
What about being secure enough for users?
Re: (Score:2)
What on earth is wrong with one factor authentication?
As long as that one factor is a stool sample, nothing!
note to self: patent phone cases that incorporate a handi wipe dispenser...
Re:Luddite here (Score:4, Funny)
What on Druidia is wrong with one two three four five?
Re: (Score:2)
Re: (Score:2)
It's what I use. Two factor means it gets tied to my phone, relies upon a SMS being sent to me if I forget password, and other inconveniences. Phone breaks, then two factor authentication is impossible. Or you left phone at home as you rushed out the door. Don't use SMS, then current google methods fail. Buy a new phone then youve got a few days of having everything break until you reset them. When I log into a dumb social media service on my PC then I don't want it to tell me to push a button on my pho
Re: (Score:2)
Re: (Score:2)
nope, it does not. You can have google authenticator for example as hardware device, handy app, app on your pebble and pc program. Enough redundancy for everyone.
Re: (Score:2)
Relatively few users will voluntarily use two-factor authentication. Users are uniformly angry when forced to adopt two-factor authentication. I guess these alternative technologies would encourage wider adoption of security protocols by the masses.
Re: (Score:3)
And I would argue back that's because people in general are terrible at security. It takes a certain mindset to accept the purpose behind such things, let alone integrate them into anything approaching usefulness.
Re: (Score:2)
"accept[ing] the purpose" and "not being angry" are two different things.
If people weren't scumbags, we wouldn't need this (or door locks, etc..).
Locksmith, four seconds to unlock your house/car (Score:3)
When I used to do locksmith work, it would take me a few seconds to unlock your car or house if you locked the key inside. Customers were happy that I could bypass the security for them.
Now that I work in information security, most people seem to think something is horribly wrong if I'm able to bypass the security.
There is an appropriate level of security for each use case. Neither your apartment nor your Slashdot account needs to be an impenetrable fortress that even the CIA can't get in to . Sometimes,
Re: (Score:2)
On the other hand, if the CIA (or any other Federal or local organization, whether related to law enforcement or not) wishes to come into your house, the following are typically true:
(1) You know about it.
(2) It costs them a *significant* amount of money (have to pay the people to go out and knock on / bust down your door).
(3) There is huge risk of negative PR for them if they don't find what they're looking for.
(4) They need a warrant from a judge.
(5) Because of all the above, they have to be pretty darn s
Re: (Score:2)
When I used to do locksmith work, it would take me a few seconds to unlock your car or house if you locked the key inside. Customers were happy that I could bypass the security for them.
Now that I work in information security, most people seem to think something is horribly wrong if I'm able to bypass the security.
There is an appropriate level of security for each use case. Neither your apartment nor your Slashdot account needs to be an impenetrable fortress that even the CIA can't get in to . Sometimes, convenience does trump security.
that's why I used to use a three password system. One simple alpha password for accounts that don't matter and then a beta and gamma passwords for sort of secure and really secure accopunts respectively and then a delta password for my email. Nowadays I use a Password Manager [keepass.info] and Two Factor Authentication [authy.com] for every place that allows it. [twofactorauth.org] I use KeePass because while I'm pretty careful I wasn't help with the security of a 3+1 password system nor the flexibility such as the fact that I tended to use Alpha for
Re: (Score:2)
There is a way to bypass password security and remain secure. This can be done via localised password applications and an accepted password protocol. Basically you use a local application with one password to create the password required to access the remote site. So in future that site sends a request for your password and you either allow to block your local password app from sending the password (which can of course be extremely long and complex and even rotate from access to access by handshaking with
Re: (Score:2)
And I was agreeing with you. The question is whether you howl at the moon or you devise another method that might be easier to adopt.
Re: (Score:2)
Hmm, let's see: in order to log in you must:
1. enable location tracking
2. type a certain phrase taking care not to deviate from the previous n times
3, dance a jigga, using the same moves you used the previous n times
What on Earth could go wrong?
Re: (Score:2)
Re: (Score:2)
Can't someone just create an app to make your phone send bogus location data? Then you can plot points in the middle of the ocean or some foreign city and have different locations for different apps.
For me, any app that needs to know where i am other than a map program just doesn't get installed or used. I'm likely not alone in that either.
Re: (Score:2)
So you don't do skype, whatsapp and don't browse the web on your Android device, right? And you must have also removed the Google Play services.
Re: (Score:2)
No, i don't have any of that on my phone. I do have play services installed and do not know how to uninstall it. My GPS is disabled, i have set Google services to not use it. And don't surf with chrome. (I use dolphin primarily )
Now the phone does try to pin a location down by IP address. But my provider uses a proxy and if i don't search for something specific by city state, it will suggest towns 3 or more states away.
I'm by no means 100% effective at stopping them from getting or using my location but i
Re: (Score:2)
If hackers can break into one database & get your name, number, SSN, password, credit card, etc, I don't think they'll have much trouble breaking into two.
If the companies even separate they authentication hashes on the back end.
Re:Luddite here (Score:5, Informative)
What on earth is wrong with two factor authentication? I can't see these being more secure.
The problem is - Google can't collect more information on you when you're using traditional two-factor authentication. With this new technique, on the other hand, Google will hopefully cut down on the pesky number of users who intentionally disable Google's monitoring when they aren't actively using Google's apps. To collect information on your walking cadence, for instance, they'll need to be able to track your walking constantly.
Re: (Score:2)
The simple fact that it's a pain in the arse.
Proving that you are you twice is far more difficult than someone knowing from the onset.
Re: (Score:2)
You're using it wrong.
Re: (Score:2)
Then what's the right way?
Re: (Score:2)
Really? Then do care to explain how adding a second factor of authentication is more convenient than simply having a password, and how it's all so more convenient than a device which simply knows that you are you and doesn't need to actually bug you to prove it.
The fact that authentication is a PITA, 2-factor even worse so is precisely what has lead the rise of ultra simple logins (pin, pattern, look in the camera, or don't take your finger off the button).
Re: (Score:2)
What on earth is wrong with two factor authentication? I can't see these being more secure.
Exactly.
What happened was that someone at Google decided two factor authentication wasn't complicated or cool enough, and came up with a "better" *cough* way to solve a problem that's already been solved. Plus it'll give them an excuse to gather even more data on you.
Re: (Score:2)
I'm not sure what your objection is about. It looks like this is a form of multi-factor authentication. The 2FA du jour is to either send an SMS or have an encryption key on your phone-- in both cases, the second factor is your phone. So you can't use that 2FA for signing into your phone.
So what's the solution that you'd like?
Re: (Score:1)
Re: (Score:2)
Or go visit an old friend you haven't seen in years.
Or injure your legs.
Re: (Score:2)
What I do is root my phone and run a firewall on it. The firewall blocks all traffic, in or out, from any app unless I specifically allow it. That way, I don't have to know what IP addresses to block -- I just block everything.
Just when I got used to using a password safe.... (Score:3)
....now they want me to start using authentication that assumes that I keep my same physical abilities all my life.
HAHAHAHAHAno.
Re: (Score:3)
It sounds like this biometric-based "trust score" will just be an additional verification factor... So I am not sure why they are saying it is going to replace 2nd factor.... it will BE the second (or third) factor...
Also, being a second factor implies that this will not unlock your device by itself... it will just be an additional "verification" on your unlock method... like: I see that you got the unlock dot sequence technically correct, but you did it in a swiping style that is inconsistent with all your
"your walking patterns, your current location" (Score:2)
Walking patterns? (Score:5, Funny)
Good luck getting that to work when you're drunk and trying to order up an Uber.
"I need -hic- whoa I need a uber to get home"
UNAUTHORIZED USER
"No like really man, open up and order me a..."
UNAUTHORIZED USER
"Oh fu...fu... fine... hic... Oh wait"
UNAUTHORIZED USER"
"SHADDUP THAT WASN'T AN ATTEMPT"
UNAUTHORIZED USER
"wait wait... my voice is.. my passport, verify me?"
UNAUTHORIZED USER
"FUG YOU... Ima just gonna llie down on this soft concrete now..."
"Oh dude... check out this guys awesome phone, grab it!"
User accepted, have a nice day.
"sweet!"
Re: (Score:2)
How DARE you say that Google Drive is that dangerous!
Re: (Score:2)
My bank will love this (Score:2)
"The company says that developers will have the option to adjust the threshold required for a trust score."
My bank will set the threshold at MaxScorePossible+2
I've given up on online banking as they use a 3rd party program which requires a bank-generated login name and account key, plus an extensive password requirement list, and a 30 day login timeout (if you don't login every 30 days or less you have to go to a branch to have login and key reset, and a new password issued. Via snail mail).
Re: (Score:3)
Simple solution:get a new bank, or better yet if you're in the US a credit union. Then again I deal with two of the largest banks in the world (BoA and Wells Fargo, both through acquisition of other banks) and they have no problem doing online banking correctly.
Re: (Score:3)
But I hope they also have a second channel for verification of login or transation, like sending you an SMS with the amount transferred and the target account number along with a one time pin to sign the transaction, right?
If not, tell them their security theater is worth less than the TSA goons at the airport. And they're already worse than useless.
Walking pattern (Score:2)
The Difference (Score:2)
Google: Let's just try all kinds of shit and see what works and what doesn't.
Apple: We're not going to tell anybody what we're doing until it's perfect and may kill it before release.
They are two competitors with very very different approaches. I can't wait to see how this plays out in the long term! More entropy? Or less?
Just what we need - better tracking (Score:5, Insightful)
So they want a technology that can accurately identify me by all sorts of unconscious traits. This would make any form of anonymity impossible.
I completely understand why Google wants this - collecting and selling information is their business model. I don't understand why *I* as a customer would want it.
Re: (Score:2, Insightful)
You aren't the customer in this scenario. You are the product!
Re: (Score:1)
With Android, anonymity is already impossible.
It's not a bug. It's Android's main feature for Google.
Every time smart phones almost get there... (Score:2)
There is a second HUGE problem with this. Any app can gather sufficient biometrics to falsify a Trust Score. Even worse, unlike say an intentionally malicious app which could just replace your keyboard app and grab passwords by key logging, advertising and other agencies could request litt
Bio auth NOT protected by 5th Amendment (Score:5, Insightful)
Do not want. Courts can, and do, compel people to provide bio-metric data, as that is not protected by the 5th Amendment. Only passwords and pass-phrases are protected. Government agencies would LOVE this trend, especially if it became the only form of authentication on your device(s), as they wouldn't need a back door to your encryption anymore. Do not accept this weakening of your security.
Re: (Score:2)
Seriously? (Score:4, Insightful)
This seems horrible in every way possible.
Hidden message (Score:2, Interesting)
What Google is really saying is that they're tracking so many user behaviors that you will not be able to hide behind an alias.
another Adroid xmas (Score:2)
Oh great, security by any number of diffuse signals you—the user—don't entirely trust and can't functionally verify against either Type I and type II errors [wikipedia.org].
I'd rather google fix the Android infrastructure (Score:2)
What problem... (Score:5, Insightful)
What problem is this trying to solve? And more importantly, why is google collecting this specific information about users and once collected, how else will it be used and by whom? Maybe that's why the announcement was "low key." They were hoping it would go unnoticed.
Re: (Score:2)
Well if we assume (naively) that Google's intent is to make it more convenient and faster for users to unlock their phones, why not just standardize on technology that mimics the iPhone's Touch ID? The same button I press to turn on my screen is simultaneously scanning my finger to determine if I'm the authorized user. That level of convenience (with a fair bit of security, short of someone forcing you to unlock your own phone) is hard to surpass.
Press button, unlock phone. No typing passwords or PINs, no t
Re: (Score:2)
(with a fair bit of security, short of someone forcing you to unlock your own phone)
Ummm... if you enjoy the convenience of logging in with fingerprint scanners, that's fine -- but know that it's not very secure. Nowhere near as secure as a decent password. Nobody needs to force you to unlock your phone. All they need is a copy of your fingerprint, and fingerprints are pretty easy to get.
Hello Lockout (Score:2)
good luck on Holloween (Score:1)
nope (Score:2)
Since I don't see how these "signals" could be used to reliably product a cryptographic key to unlock the data, seems to me like they are inherently inferior to the password.
Why take a step backwards technologically from something bad but workable to something unworkable?
What about the people who actually own the device? (Score:2)
Are we just saying F*** you to MDM and companies who allocate company owned cell phones to their employees? This is not a problem that needs to be solved.
Gee (Score:2)
*That* sounds secure. /s
So, in order to change /this/ password... (Score:1)
...I need to ... what? Chop a leg off? Move house?
Sounds like another version of "use something you can't change as a password, rather than as a user id."
I want it to be more secure, not less (Score:3)
I want to be able to write rules, so that, if I'm at home (Geo-location) and connected to the wireless, then you only need a simple unlock code.
If I'm out and about, I want it to be looking for my smart watch before it will unlock, or otherwise a yubikey (NFC).
If you want to get into my work section of my device you need *all* the above. Bluetooth, NFC and a strong unlock code.
If you don't have any of this stuff, no unlock. If you fail auth 7 times, full brick. Device destroyed.
I don't want to reward people who would mug me for my phone, if we got to the point where the devices are a worthless lump without an unlock, then people won't steal from you. Remove the incentive, remove the crime.
Walk a Mile in my shoes (Score:2)
before you can login to my gmail.