Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Tests Signing Into Accounts Using Your Phone, No Password Required (venturebeat.com)

Posted by Soulskill on from the 123456-letmein dept.

An anonymous reader writes: Google's battle against poor passwords continues. The company is now testing a new Google Account option that lets users login using their phone, skipping the part where you have to enter your password. The feature uses your phone to authenticate your identity by bringing up a notification that allows you to grant or deny access to your account. Google confirmed it was testing the feature with a small group of users.

8 of 108 comments (clear)

  1. Single factor authentication by nmb3000 · · Score: 4, Interesting

    This is still single-factor authentication. All they've done is change from "something you know" to "something you have". And, since that "something you have" can break or get lost or stolen, I'm not sure they haven't just replaced one problem with another.

    Passwords suck, but nobody can steal your password from your work/library/restaurant table while you're off taking a dump (or whatever).

    --
    "What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
    /)
    1. Re:Single factor authentication by Freedom+Bug · · Score: 2

      If somebody has access to your phone, they have access to your email. If they have access to your email they have access to all your accounts since they can reset the passwords quite easily.

      So make sure you have a secure lock screen on that phone to turn it into two-factor auth.

    2. Re:Single factor authentication by swillden · · Score: 2

      If somebody has access to your phone, they have access to your email.

      Maybe in Google's fantasy world, but certainly not in the world I now live in, using my actual phone, they don't! Having any possible connection between my phone and my email would be a bloody stupid thing to do, given the "security" of most phones.

      I guess Freedom Bug should have qualified it with "For values of 'you' that include 99% of smartphone users."

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    3. Re:Single factor authentication by AmiMoJo · · Score: 2

      No. That was just HTC with their custom implementation. Android's native system uses (and requires) the phone's secure storage area that is hardware protected (similar to Android Pay and Apple's secure storage). Samsung also use secure storage for their custom fingerprint scanner.

      It was only ever HTC doing their own thing.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  2. WTF? by YrWrstNtmr · · Score: 2, Insightful

    I'm sorry...but not everything needs to revolve around the 'phone'.

    My phone is stolen/broken/lost..and now I can't use my laptop to get into my email?

    "You won’t need your password to sign in, but you can always use it if you want to"
    And after a while of not using that password...you've completely forgotten it.

  3. Re: I'm about to solve the problem another way by Anonymous Coward · · Score: 5, Insightful

    This is Google Real names v2. They didn't like the backlash against them the first time but they want to propagate a unique ID to identify everything you do, so they make it easy for you to *use* any persona you have to log into their services. It's just a matter of time until you've logged in with each of your real life personas through all the devices and accounts you own, and every time they swallow one more chunk of your life history.

  4. Re:There needs to be a recovery password by BradleyUffner · · Score: 2

    They need to issue a recovery password for every account. This would be a serial number in case the account ever gets hijacked. It can only get you in to reset your password. It could be written down and stored in a safe or in a safety deposit box. And it cannot be changed. It would be displayed only one time by the website and never be visible again to anyone. So you click on the link, it says "record this" and you write it down and put it in a safe. And that link would never work again.

    Yes yes, I know, you hate the idea.

    They already offer this for their 2-factor system. They issue you 10 single use keys that you can use in place of the code generate by the phone app. It works almost exactly as you described. There is no reason that it couldn't easily be carried over to this system.

  5. Google Authenticator over Wi-Fi by tepples · · Score: 2

    Multiple users have a wired phone line are going to be cheesed off.

    Google could offer a list of carriers that sell service on Nexus phones. Or Google could offer an authenticator app that works over Wi-Fi on tablets and on phones whose cellular service has expired. Or, as the featured article points out, passwords will continue to work for the foreseeable future. I can't verify whether Google is already offering passwordless authentication on Wi-Fi devices because the featured article didn't specify which devices are compatible beyond a screenshot stating "To use your phone to sign in, you'll need a compatible phone with a screen lock."