Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Plans To Bring Password-Free Logins To Android Apps By Year-End (techcrunch.com)

Posted by msmash on from the Google-despises-passwords dept.

An anonymous reader shares a report on TechCrunch: Google's plan to eliminate passwords in favor of systems that take into account a combination of signals -- like your typing patterns, your walking patterns, your current location, and more -- will be available to Android developers by year-end, assuming all goes well in testing this year. In an under-the-radar announcement Friday afternoon at the Google I/O developer conference, the head of Google's research unit ATAP (Advanced Technology and Projects) Daniel Kaufman offered a brief update regarding the status of Project Abacus, the name for a system that opts for biometrics over two-factor authentication. With Project Abacus, users would unlock devices or sign into applications based on a cumulative "Trust Score." This score would be calculated using a variety of factors, including your typing patterns, current location, speed and voice patterns, facial recognition, and other things.The Trust API will be available to developers, who can then implement that into their apps. The company says that developers will have the option to adjust the threshold required for a trust score.

109 comments

  1. Luddite here by liqu1d · · Score: 3, Insightful

    What on earth is wrong with two factor authentication? I can't see these being more secure.

    1. Re:Luddite here by Calydor · · Score: 5, Insightful

      In fact they will be extremely troublesome.

      Typing or voice patterns? Oh so sorry, you have a headache or the flu, your pattern has shifted enough to not be recognizable. Walking patterns? Too bad about that broken leg after your ski trip, you're locked out of your phone for three months or more.

      --
      -=This sig has nothing to do with my comment. Move along now=-
    2. Re:Luddite here by Anonymous Coward · · Score: 0

      If it is secure enough for the developers intentions, and more convenient, seems like a sensible thing to introduce.

    3. Re:Luddite here by Anonymous Coward · · Score: 0

      What on earth is wrong with one factor authentication?

    4. Re:Luddite here by darkmeridian · · Score: 1

      Relatively few users will voluntarily use two-factor authentication. Users are uniformly angry when forced to adopt two-factor authentication. I guess these alternative technologies would encourage wider adoption of security protocols by the masses.

      --
      A NYC lawyer blogs. http://www.chuangblog.com/
    5. Re:Luddite here by NatasRevol · · Score: 1

      If hackers can break into one database & get your name, number, SSN, password, credit card, etc, I don't think they'll have much trouble breaking into two.

      If the companies even separate they authentication hashes on the back end.

      --
      There are two types of people in the world: Those who crave closure
    6. Re:Luddite here by 93+Escort+Wagon · · Score: 4, Informative

      What on earth is wrong with two factor authentication? I can't see these being more secure.

      The problem is - Google can't collect more information on you when you're using traditional two-factor authentication. With this new technique, on the other hand, Google will hopefully cut down on the pesky number of users who intentionally disable Google's monitoring when they aren't actively using Google's apps. To collect information on your walking cadence, for instance, they'll need to be able to track your walking constantly.

      --
      #DeleteChrome
    7. Re:Luddite here by thegarbz · · Score: 1

      The simple fact that it's a pain in the arse.

      Proving that you are you twice is far more difficult than someone knowing from the onset.

    8. Re:Luddite here by JustAnotherOldGuy · · Score: 1

      What on earth is wrong with two factor authentication? I can't see these being more secure.

      Exactly.

      What happened was that someone at Google decided two factor authentication wasn't complicated or cool enough, and came up with a "better" *cough* way to solve a problem that's already been solved. Plus it'll give them an excuse to gather even more data on you.

      --
      Just cruising through this digital world at 33 1/3 rpm...
    9. Re:Luddite here by FatdogHaiku · · Score: 1

      What on earth is wrong with one factor authentication?

      As long as that one factor is a stool sample, nothing!


      note to self: patent phone cases that incorporate a handi wipe dispenser...

      --
      You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
    10. Re:Luddite here by Anonymous Coward · · Score: 0

      lets not forget packaging up "walking patterns" as a big data set for 8-9 figures a pop.

    11. Re:Luddite here by JackieBrown · · Score: 3, Insightful

      Yep - I'm sure no one at Google thought about this. You should email them quick!

    12. Re:Luddite here by H3lldr0p · · Score: 2

      And I would argue back that's because people in general are terrible at security. It takes a certain mindset to accept the purpose behind such things, let alone integrate them into anything approaching usefulness.

    13. Re:Luddite here by U2xhc2hkb3QgU3Vja3M · · Score: 1

      I'm not even sure Google knows what email is!

    14. Re:Luddite here by U2xhc2hkb3QgU3Vja3M · · Score: 3, Funny

      What on Druidia is wrong with one two three four five?

    15. Re:Luddite here by U2xhc2hkb3QgU3Vja3M · · Score: 1

      What on earth is wrong with two factor authentication?

      The simple fact that it's a pain in the arse.

      You're using it wrong.

    16. Re:Luddite here by Anonymous Coward · · Score: 0

      Your post reads as though you don't know how two factor auth reads. When you log in, it sends a one time code to a previously registered device that the user is then required to enter it to authenticate. It doesn't have you type in two different passwords. It's not about passwords, it's about making sure you are who you say you are.

    17. Re:Luddite here by Anonymous Coward · · Score: 1

      Don't even need an exotic ski trip. Your gait is significantly impacted by moderate alcohol consumption, as is your typing and other motor skills, your vocabulary, and pretty much every other faux-biometric pattern. I just can't wait for the day when I have a few drinks and then can't login to Uber for a ride because Google says "nope, it's not really you!" This all seems like an answer in search of a problem, what the hell is so hard about a password? My phone remembers those for me if I ask it to, even when I'm drunk.

    18. Re:Luddite here by Alumoi · · Score: 1

      Hmm, let's see: in order to log in you must:
      1. enable location tracking
      2. type a certain phrase taking care not to deviate from the previous n times
      3, dance a jigga, using the same moves you used the previous n times
      What on Earth could go wrong?

    19. Re:Luddite here by Anonymous Coward · · Score: 0

      So, instead of using 1 password (traditional method) I have to use 1 password (2 factor auth). What's the difference? Except the fact that $company now has at least 2 devices it can use to track me.

    20. Re:Luddite here by Anonymous Coward · · Score: 0

      I'm all for 2-factor, provided that one of the factors aren't my uniquely identifiable phone number.

    21. Re:Luddite here by mattack2 · · Score: 1

      "accept[ing] the purpose" and "not being angry" are two different things.

      If people weren't scumbags, we wouldn't need this (or door locks, etc..).

    22. Re:Luddite here by Anonymous Coward · · Score: 0

      What on earth is wrong with two factor authentication? I can't see these being more secure.

      I think this is about compromising a little security for a little convenience, maybe?

      The problem is - Google can't collect more information on you when you're using traditional two-factor authentication.

      Alternate email address? Mobile phone number?

    23. Re: Luddite here by liqu1d · · Score: 1

      Although that could help prevent drunk dialling an ex

    24. Re: Luddite here by Anonymous Coward · · Score: 0

      that is only a problem if she turns down the request for sex.

    25. Re:Luddite here by Anonymous Coward · · Score: 0

      For it to be a two-factor authentication it has to have two factors. And if people use an app on their smartphone, getting an sms on their smartphone doesn't help.

    26. Re:Luddite here by Anonymous Coward · · Score: 0

      Worse, oh sorry your biometrics / "variety of information" has been compromised by the breach of the month. Now we need to reset YOU.

    27. Re:Luddite here by desdinova+216 · · Score: 1

      that's my luggage combination, you insensitive clod!

    28. Re:Luddite here by nine-times · · Score: 1

      I'm not sure what your objection is about. It looks like this is a form of multi-factor authentication. The 2FA du jour is to either send an SMS or have an encryption key on your phone-- in both cases, the second factor is your phone. So you can't use that 2FA for signing into your phone.

      So what's the solution that you'd like?

    29. Re:Luddite here by Flavianoep · · Score: 1

      Now I have a reason to turn to Windows Phone or iOS, because not very far in the futures, any effing app in Android will demand access to my location data, walking patterns, and other such rubbish to allow me to use them.

      --
      Linux is for people who don't mind RTFM.
    30. Re:Luddite here by KiloByte · · Score: 1

      Right... I guess you've never been so drunk to take more than 10 tries to enter your password on a full-sized keyboard. On an on-screen phone keyboard that'd be outright impossible.

      But then, there's a difference between three beers vs a liter of vodka shutting you out of your authentication.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    31. Re: Luddite here by Anonymous Coward · · Score: 0

      Everybody in the US remember this: authentication based on things that don't involve something you know (like a password) can be subpoened by the police and other kinds of bad actors.

      I wouldn't trust this garbage with anything.

    32. Re:Luddite here by Darinbob · · Score: 1

      It's what I use. Two factor means it gets tied to my phone, relies upon a SMS being sent to me if I forget password, and other inconveniences. Phone breaks, then two factor authentication is impossible. Or you left phone at home as you rushed out the door. Don't use SMS, then current google methods fail. Buy a new phone then youve got a few days of having everything break until you reset them. When I log into a dumb social media service on my PC then I don't want it to tell me to push a button on my phone to continue.

      Two factor is probably good for *important* stuff; like my bank account. Social media fluff doesn't fit into that category. It's also more secure to not put sensitive data anywhere near where Google or "the cloud" can see it

    33. Re:Luddite here by sumdumass · · Score: 1

      Can't someone just create an app to make your phone send bogus location data? Then you can plot points in the middle of the ocean or some foreign city and have different locations for different apps.

      For me, any app that needs to know where i am other than a map program just doesn't get installed or used. I'm likely not alone in that either.

    34. Re:Luddite here by Anonymous Coward · · Score: 0

      Relatively few users will voluntarily use two-factor authentication. Users are uniformly angry when forced to adopt two-factor authentication. I guess these alternative technologies would encourage wider adoption of security protocols by the masses.

      Wait you think the same users who are angry about setting up TFA will be appeased by this API based trust authentication? I mean it's fine for things like humanity checks but for identity checks? I see these "Angry Users" getting even more annoyed because of how nebulous the whole thing is.

    35. Re:Luddite here by ceallaigh · · Score: 1

      Because Google wants to know more about you for tracking purposes and other business ideas.

    36. Re:Luddite here by Anonymous Coward · · Score: 0

      Exactly.

      What happened was that someone at Google decided two factor authentication wasn't complicated or cool enough, and came up with a "better" *cough* way to solve a problem that's already been solved. Plus it'll give them an excuse to gather even more data on you.

      This except backwards.

    37. Re:Luddite here by The+Finn · · Score: 1

      How's that cloudless life working out for you?

      --
      NetBSD: the cathedral vs the bizzare.
    38. Re:Luddite here by Jane+Q.+Public · · Score: 3, Insightful

      Yep - I'm sure no one at Google thought about this. You should email them quick!

      What, you think Google is magic, or prescient?

      Google has had A LOT of bad ideas. And went on to implement them, only later to realize they were bad ideas.

      The thing about Google is that it (or Alphabet) is big enough that it can afford such failures... no matter how much it costs the rest of us.

    39. Re:Luddite here by JohnFen · · Score: 1

      What about being secure enough for users?

    40. Re:Luddite here by JohnFen · · Score: 1

      Then what's the right way?

    41. Re:Luddite here by Alumoi · · Score: 1

      So you don't do skype, whatsapp and don't browse the web on your Android device, right? And you must have also removed the Google Play services.

    42. Re:Luddite here by piojo · · Score: 1

      Oops, we don't recognize your typing. And despite the fact that this problem hasn't happened at all in the past year, we're sure you remember your password. :)

      --
      A cat can't teach a dog to bark.
    43. Re:Luddite here by Waccoon · · Score: 1

      These people made Google+. I wouldn't be surprised if they did think, but don't give a shit.

    44. Re: Luddite here by Anonymous Coward · · Score: 0

      Pretty darn good. It's all sunshine here.

    45. Re:Luddite here by darkmeridian · · Score: 1

      And I was agreeing with you. The question is whether you howl at the moon or you devise another method that might be easier to adopt.

      --
      A NYC lawyer blogs. http://www.chuangblog.com/
    46. Re:Luddite here by thegarbz · · Score: 1

      Really? Then do care to explain how adding a second factor of authentication is more convenient than simply having a password, and how it's all so more convenient than a device which simply knows that you are you and doesn't need to actually bug you to prove it.

      The fact that authentication is a PITA, 2-factor even worse so is precisely what has lead the rise of ultra simple logins (pin, pattern, look in the camera, or don't take your finger off the button).

    47. Re:Luddite here by Anonymous Coward · · Score: 0

      Passwords and two-factor are broken because they allow people to create shared accounts to get around one-person = one-purchase DRM.

      Phones are different from browsers in that the "ecosystem" entices developers to write apps by offering control over users. In the same way web browsers are trusted agents acting on the users' behalf, phones are trusted agents acting on the developers' behalf. Passwords are a weak link in this regime.

    48. Re:Luddite here by allo · · Score: 1

      Google has no public support mailaddress. All you get is to browse their help system with some superficial articles and some feedback button to the article, if you're lucky. Sending e-mail, even about scam in the chrome store or similiar, is just not wanted by them.

    49. Re:Luddite here by allo · · Score: 1

      nope, it does not. You can have google authenticator for example as hardware device, handy app, app on your pebble and pc program. Enough redundancy for everyone.

    50. Re:Luddite here by sumdumass · · Score: 1

      No, i don't have any of that on my phone. I do have play services installed and do not know how to uninstall it. My GPS is disabled, i have set Google services to not use it. And don't surf with chrome. (I use dolphin primarily )

      Now the phone does try to pin a location down by IP address. But my provider uses a proxy and if i don't search for something specific by city state, it will suggest towns 3 or more states away.

      I'm by no means 100% effective at stopping them from getting or using my location but i do as much as I can to prevent it.

    51. Re:Luddite here by Anonymous Coward · · Score: 0

      So Lonny can "rebut anybody" by telling a mother there's a special place in Hell for her, but I can't object? Sure. [DumbSci]

      By the way, from Hayhoe's Bible: "But as for the cowardly murderers ... and all liars, their portion will be... in the lake that burns with fire and sulfur, which is the second death." That's what Christians mean by "a special place". Most of them get the reference. You didn't, apparently. FYI it's a common phrase among Christians. [Lonny highlights the word "hypocrites"] [Lonny Eachus, 2016-06-05]

      Once again Lonny, you have a remarkable ability to rationalize your own behavior. Lonny seems to be denying that he's attacking scientists, while simultaneously doubling down on his baseless "liar" and "hypocrite" attacks.

      Does Lonny seriously think he wasn't attacking a mother by telling her there's a special place in Hell for people like her? Wow. Lonny should try to remember that one Christian mother already said she was "pretty sure" Lonny was attacking her. If Lonny is actually just honestly confused about how this works (rather than simply acting like a pathologically dishonest psychopath who sadistically enjoys attacking mothers) then maybe Lonny should stand outside a Christian church and tell every mother leaving with young children that there's a special place in Hell for people like her. Then Lonny could ask if that's an attack or just a common phrase.

    52. Re:Luddite here by Anonymous Coward · · Score: 0

      I am very careful to not "falsely" accuse. You have not demonstrated similar caution. This tweet, for example. [Lonny Eachus, 2016-06-05]

      You've been falsely accusing scientists of dishonesty and fraud for years, Lonny! You just can't admit you're wrong, so you'll never be able to recognize that all your hysterical accusations are baseless.

      For instance, you've been falsely accusing Cook et al. of fraud. I've explained that your accusations are false, and pointed out that NASA disagrees with your false accusations. You've even admitted it's "bothersome" that NASA supports the Cook paper, but you don't seem capable of understanding that NASA supports it because your accusations are simply false.

      Also, Lonny falsely accuses scientists of being "liars" if they acknowledge the global sea level rise of ~3 mm/year. Which means that Lonny is falsely accusing NASA, the University of Colorado, the US National Academy of Sciences, and the UK Royal Society of being "liars".

      And that doesn't even include all the times Lonny Eachus falsely accused me of lying.

      @voxday be warned: this guy [DumbSci] is SJW personified. [Lonny Eachus, 2016-05-20]

      You should read @voxday's "SJWs Always Lie". If you're honest with yourself, you will see yourself in its pages. [Lonny Eachus, 2016-06-05]

      Oh, the irony! Lonny admitted he lied a lot when he was younger, and just a few months ago Lonny admitted he lies about climate science. Seems like Lonny Eachus didn't "get over" lying a lot.

      Lonny Eachus might have merely been honestly mistaken when he first falsely accused NOAA and NASA scientists of adjusting global temperature data "always cooler in the past and warmer now". But then I showed Lonny that his accusation was false; in reality NOAA and NASA have adjusted global temperature data to reduce global warming over the last century. However, even after that Lonny Eachus keeps making the same false accusation over and over and over and over and over. According to Lonny's own rule, that means Lonny Eachus stopped being honest.

      Lonny

    53. Re:Luddite here by Anonymous Coward · · Score: 0

      Oops, " violate God win's law:" should be " violate God win's law." (change the colon to a period).

  2. hmm by Anonymous Coward · · Score: 0

    While, sure, you could add a bunch of data to say "it looks like user X behavior" what I suspect it will do in reality is....

    - set a UUID and secret that represent you
    - use the additional heuristic to ensure its reasonably still you

    the point is though that the format IS like a user/password, its just that you don't have to type it, its generated for you and saved in your google account (which has a password, btw). Basically, your google account becomes a password manager, and the heuristic are just here to present phising/misuse/etc.

    Not the other way around, as this article would lead you to believe

  3. Just be sure by Anonymous Coward · · Score: 0

    Don't drink too much or have a stroke. You might lose access to your devices and data.

    1. Re:Just be sure by NatasRevol · · Score: 1

      Or go visit an old friend you haven't seen in years.

      Or injure your legs.

      --
      There are two types of people in the world: Those who crave closure
  4. time to start blocking google by Anonymous Coward · · Score: 0

    what ip's should I block? And what javascript to I need to filter out from all other internet pages?

    1. Re:time to start blocking google by JohnFen · · Score: 1

      What I do is root my phone and run a firewall on it. The firewall blocks all traffic, in or out, from any app unless I specifically allow it. That way, I don't have to know what IP addresses to block -- I just block everything.

    2. Re:time to start blocking google by Anonymous Coward · · Score: 0

      Better yet, just don't own a phone at all!

  5. Just when I got used to using a password safe.... by MAXOMENOS · · Score: 2

    ....now they want me to start using authentication that assumes that I keep my same physical abilities all my life.

    HAHAHAHAHAno.

    --
    Finding God in a Dog
  6. "your walking patterns, your current location" by HumanWiki · · Score: 1

    Well, awesome.. My "password" to everything will be my couch. Guess it's fitting that would be the key to my online world, it's already the key to my real life one.

  7. Walking patterns? by the_skywise · · Score: 5, Funny

    Good luck getting that to work when you're drunk and trying to order up an Uber.
    "I need -hic- whoa I need a uber to get home"
    UNAUTHORIZED USER
    "No like really man, open up and order me a..."
    UNAUTHORIZED USER
    "Oh fu...fu... fine... hic... Oh wait"
    UNAUTHORIZED USER"
    "SHADDUP THAT WASN'T AN ATTEMPT"
    UNAUTHORIZED USER
    "wait wait... my voice is.. my passport, verify me?"
    UNAUTHORIZED USER
    "FUG YOU... Ima just gonna llie down on this soft concrete now..."
    "Oh dude... check out this guys awesome phone, grab it!"
    User accepted, have a nice day.
    "sweet!"

    1. Re:Walking patterns? by Anonymous Coward · · Score: 0

      More likely:
      "Oh FUG it then, I'll drive home, I'm not that drunk"
      Later... "FUG, I hope that guy in that car I crashed into is alive"

    2. Re:Walking patterns? by codeButcher · · Score: 1

      Then you should stay permanently drunk.

      --
      Free, as in your money being freed from the confines of your account.
    3. Re:Walking patterns? by the_skywise · · Score: 1

      How DARE you say that Google Drive is that dangerous!

  8. My bank will love this by Overzeetop · · Score: 1

    "The company says that developers will have the option to adjust the threshold required for a trust score."

    My bank will set the threshold at MaxScorePossible+2

    I've given up on online banking as they use a 3rd party program which requires a bank-generated login name and account key, plus an extensive password requirement list, and a 30 day login timeout (if you don't login every 30 days or less you have to go to a branch to have login and key reset, and a new password issued. Via snail mail).

    --
    Is it just my observation, or are there way too many stupid people in the world?
    1. Re:My bank will love this by afidel · · Score: 2

      Simple solution:get a new bank, or better yet if you're in the US a credit union. Then again I deal with two of the largest banks in the world (BoA and Wells Fargo, both through acquisition of other banks) and they have no problem doing online banking correctly.

      --
      There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
    2. Re:My bank will love this by Opportunist · · Score: 2

      But I hope they also have a second channel for verification of login or transation, like sending you an SMS with the amount transferred and the target account number along with a one time pin to sign the transaction, right?

      If not, tell them their security theater is worth less than the TSA goons at the airport. And they're already worse than useless.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  9. Walking pattern by JoshuaZ · · Score: 1

    The use of walking pattern as an identity feature has been tried by a few people. Some of the first research on this was done by Ari Trachtenberg and his students at Boston University. I remember being very impressed when they presented the basics and found the idea of using the accelerometer to measure how one was walking to be pretty neat. They were careful to emphasize that it wasn't by itself ideal or unique identitifier. So in this context, combining it with other signals makes a lot of sense.

  10. fingerprint vs password by Anonymous Coward · · Score: 0

    How does this compare to fingerprint vs password access?
    At the risk of a contempt charge, can an uncooperative defendant still maintain a locked device?

  11. Re:Just when I got used to using a password safe.. by The-Ixian · · Score: 2

    It sounds like this biometric-based "trust score" will just be an additional verification factor... So I am not sure why they are saying it is going to replace 2nd factor.... it will BE the second (or third) factor...

    Also, being a second factor implies that this will not unlock your device by itself... it will just be an additional "verification" on your unlock method... like: I see that you got the unlock dot sequence technically correct, but you did it in a swiping style that is inconsistent with all your previous unlocks... so no login, try again.

    So, saying that it will remove the needs for passwords is... well... lying really.

    I mean, how would that work even if it was true? Phone: "Walk around a bit to unlock." what?

    I mean, the tech is neat, but it would seem as though the article is getting some facts completely wrong... either that, or I am not understanding this correctly...

    --
    My eyes reflect the stars and a smile lights up my face.
  12. The Difference by lazarus · · Score: 1

    Google: Let's just try all kinds of shit and see what works and what doesn't.
    Apple: We're not going to tell anybody what we're doing until it's perfect and may kill it before release.

    They are two competitors with very very different approaches. I can't wait to see how this plays out in the long term! More entropy? Or less?

    --
    I am not interested in articles about life extension advancements.
  13. Just what we need - better tracking by joe_frisch · · Score: 4, Insightful

    So they want a technology that can accurately identify me by all sorts of unconscious traits. This would make any form of anonymity impossible.

    I completely understand why Google wants this - collecting and selling information is their business model. I don't understand why *I* as a customer would want it.

    1. Re:Just what we need - better tracking by Anonymous Coward · · Score: 2, Insightful

      You aren't the customer in this scenario. You are the product!

    2. Re:Just what we need - better tracking by Anonymous Coward · · Score: 1

      This would make any form of anonymity impossible.

      With Android, anonymity is already impossible.
      It's not a bug. It's Android's main feature for Google.

  14. behavioural fingerprinting by Anonymous Coward · · Score: 0

    behavioural fingerprinting

    Two things I do not want
      1) biometrics
      2) behavioural fingerprinting

    This is just another means to profile YOU. Now they can track all your "patterns" on every website and app.

  15. Every time smart phones almost get there... by aaronb1138 · · Score: 1

    What an incredibly stupid way to blow through CPU cycles. Seriously, use my local processing power for things I want, like local search, voice interaction and navigation which can work offline / from cache consistently.

    There is a second HUGE problem with this. Any app can gather sufficient biometrics to falsify a Trust Score. Even worse, unlike say an intentionally malicious app which could just replace your keyboard app and grab passwords by key logging, advertising and other agencies could request little pieces of biometrics and heuristics from different sources in innocuous ways until a complete picture for forging a Trust Score emerge.

    Didn't we just go over the bit about RunKeeper recording and then passing along a fairly nice stack of location / movement statistics?

  16. Bio auth NOT protected by 5th Amendment by thedarb · · Score: 5, Insightful

    Do not want. Courts can, and do, compel people to provide bio-metric data, as that is not protected by the 5th Amendment. Only passwords and pass-phrases are protected. Government agencies would LOVE this trend, especially if it became the only form of authentication on your device(s), as they wouldn't need a back door to your encryption anymore. Do not accept this weakening of your security.

    --
    This sig intentionally left blank.
  17. Wanking pattern by Anonymous Coward · · Score: 0

    Learn to do it consistently or you'll be denied access....

    1. Re:Wanking pattern by reboot246 · · Score: 1

      You're wanking because you were denied access!

  18. Seriously? by SumDog · · Score: 3, Insightful

    This seems horrible in every way possible.

  19. Hidden message by Anonymous Coward · · Score: 2, Interesting

    What Google is really saying is that they're tracking so many user behaviors that you will not be able to hide behind an alias.

  20. another Adroid xmas by epine · · Score: 1

    Oh great, security by any number of diffuse signals you—the user—don't entirely trust and can't functionally verify against either Type I and type II errors.

  21. I'd rather google fix the Android infrastructure by QuietLagoon · · Score: 1

    As it stands at the moment, Android devices take months to get security and OS updates, if they get them at all. For me, that is, BY FAR, the biggest disadvantage of Android-based devices. Any difficulties or annoyances due to the need to type in a password absolutely pales in comparison to the apparently lax security policies of the Android environment.

  22. Chronic false positive by Anonymous Coward · · Score: 0

    Some of us have brain injuries we deal with, the weakness in the right leg makes walking patterns a bit unpredictable, spacsicity in right arm makes that very erratic. Aphasia and partially paralyzed vocal cords make voice recognition difficult at best. Needs a lot of work...

  23. no backdoor needed... by Anonymous Coward · · Score: 0

    Just what the feds want

  24. What problem... by Dcnjoe60 · · Score: 4, Insightful

    What problem is this trying to solve? And more importantly, why is google collecting this specific information about users and once collected, how else will it be used and by whom? Maybe that's why the announcement was "low key." They were hoping it would go unnoticed.

    1. Re:What problem... by allquixotic · · Score: 1

      Well if we assume (naively) that Google's intent is to make it more convenient and faster for users to unlock their phones, why not just standardize on technology that mimics the iPhone's Touch ID? The same button I press to turn on my screen is simultaneously scanning my finger to determine if I'm the authorized user. That level of convenience (with a fair bit of security, short of someone forcing you to unlock your own phone) is hard to surpass.

      Press button, unlock phone. No typing passwords or PINs, no trying to remember the way you walked yesterday, no finagling with voice intonation, no combing your hair so you look the same to the camera... Perfectly reliable and secure enough for most.

      Probably we have to assume the reason they're doing this is *not* to benefit user convenience.

    2. Re:What problem... by JohnFen · · Score: 1

      (with a fair bit of security, short of someone forcing you to unlock your own phone)

      Ummm... if you enjoy the convenience of logging in with fingerprint scanners, that's fine -- but know that it's not very secure. Nowhere near as secure as a decent password. Nobody needs to force you to unlock your phone. All they need is a copy of your fingerprint, and fingerprints are pretty easy to get.

  25. Hello Lockout by jetkust · · Score: 1

    Google still finding innovative ways to lock you out of your accounts.

  26. good luck on Holloween by funkymonkjay · · Score: 1

    face recognition, nope! normal walking pattern, hell.. unlocking phone to take a selfie.. denied. maybe this is a good thing after all. how about running from a mugger use case? face recognition, tough after a punch to the face running pattern, def not normal calling 911, better hope the phone has emergency dial from locked screen.

  27. Is it working? Is it too permissive? by Anonymous Coward · · Score: 0

    If we can log in, how do we know that the device isn't letting EVERYONE in? Maybe it blocks your family member or a co-worker who tested it for you, but maybe it's still too permissive and lets many people in. At least with other technologies it's easier to test if they're working or not.

  28. nope by TheCarp · · Score: 1

    Since I don't see how these "signals" could be used to reliably product a cryptographic key to unlock the data, seems to me like they are inherently inferior to the password.

    Why take a step backwards technologically from something bad but workable to something unworkable?

    --
    "I opened my eyes, and everything went dark again"
  29. more unique private data by Anonymous Coward · · Score: 0

    for merkins to sell to advertisers just so they can track & sell you shit. I hope the EU outlaws it.

  30. What about the people who actually own the device? by ComputerGeek01 · · Score: 1

    Are we just saying F*** you to MDM and companies who allocate company owned cell phones to their employees? This is not a problem that needs to be solved.

  31. Locksmith, four seconds to unlock your house/car by raymorris · · Score: 2

    When I used to do locksmith work, it would take me a few seconds to unlock your car or house if you locked the key inside. Customers were happy that I could bypass the security for them.

    Now that I work in information security, most people seem to think something is horribly wrong if I'm able to bypass the security.

    There is an appropriate level of security for each use case. Neither your apartment nor your Slashdot account needs to be an impenetrable fortress that even the CIA can't get in to . Sometimes, convenience does trump security.

  32. Google is bad a authentication already! by Anonymous Coward · · Score: 0

    I recently traveled to another city for work and didn't have my phone on me. I tried to login to my account with my correct username and password only to be told he HAD to have access to my phone (two factor is off on this account) in order to login even though I had the username and password. I literally had no way to login to my e-mail account until I had access to my phone again! I could see maybe if I had to guess 5 times to get the correct password! I can only imagine that this system will be much much worse and more frustrating!

    1. Re:Google is bad a authentication already! by Anonymous Coward · · Score: 0

      That happened to me too! (web gmail from another state). After that happened, I no longer associate my android phones to my google account . Sure, I can't install 3rd party apps, but at least I'll never be locked out of my own damn phone (or gmail) again.

  33. Re:Locksmith, four seconds to unlock your house/ca by allquixotic · · Score: 1

    On the other hand, if the CIA (or any other Federal or local organization, whether related to law enforcement or not) wishes to come into your house, the following are typically true:

    (1) You know about it.
    (2) It costs them a *significant* amount of money (have to pay the people to go out and knock on / bust down your door).
    (3) There is huge risk of negative PR for them if they don't find what they're looking for.
    (4) They need a warrant from a judge.
    (5) Because of all the above, they have to be pretty darn sure that you're involved in some kind of crime before they do it.

    None of these factors will necessarily be true if we allow the government to have encryption backdoors. They can just passively monitor the population whenever they choose to (which, other factors notwithstanding, would be "always") for any signs of disobedience. And in their quest to be ever-watchful and more and more effective at fighting crime and terrorism, they will soon step up their efforts to "next-level" attack prevention, like thought police -- just typing a few characters into Google, writing an opinion piece, or expressing certain ideas could get you labeled as a deviant and thrown away in jail.

    In closing, I will quote you the mission of the CIA from Wikipedia:

    "The Central Intelligence Agency is a civilian foreign intelligence service of the U.S. Government, tasked with gathering, processing and analyzing national security information from around the world, primarily through the use of human intelligence."

    In what world is it anywhere remotely within their jurisdiction, for an organization that is not law enforcement and whose gaze should be *outward* to other countries rather than *inward* to the US, to insert themselves into the communications of US citizens, in an automated, computerized way (instead of "human" as the mission says), for the purposes of law enforcement, which is not at all part of their mission?

    No, I'm not okay with the CIA deciding they'd like to get into my online presence in any capacity beyond what I post publicly. Private means private. I'm perfectly fine with losing my data permanently if I lose the access credential, precisely because making a "oops" key is exactly as insecure as making a backdoor for the three-letter acronym agencies.

    And like I said, whereas it requires a number of checks and balances accompanied with a high degree of confidence for these guys to come knocking at your house, it requires basically nothing at all -- not even the faintest hint of suspicion -- for them to decrypt, monitor and analyze your private data. Your only defense is to swallow the key and pray there's no backdoor in your crypto.

  34. Gee by allquixotic · · Score: 1

    *That* sounds secure. /s

  35. Re:Locksmith, four seconds to unlock your house/ca by thewolfkin · · Score: 1

    When I used to do locksmith work, it would take me a few seconds to unlock your car or house if you locked the key inside. Customers were happy that I could bypass the security for them.

    Now that I work in information security, most people seem to think something is horribly wrong if I'm able to bypass the security.

    There is an appropriate level of security for each use case. Neither your apartment nor your Slashdot account needs to be an impenetrable fortress that even the CIA can't get in to . Sometimes, convenience does trump security.

    that's why I used to use a three password system. One simple alpha password for accounts that don't matter and then a beta and gamma passwords for sort of secure and really secure accopunts respectively and then a delta password for my email. Nowadays I use a Password Manager and Two Factor Authentication for every place that allows it. I use KeePass because while I'm pretty careful I wasn't help with the security of a 3+1 password system nor the flexibility such as the fact that I tended to use Alpha for everything and only switch when that site got hacked. I started to use Google Authenticator but I hit that phone failsafe issue where I was constantly worried about what happened if my phone was off or dead or lost. The fact that I had to go through a version of that when I switched phones only cemented my fears. I ended up at Authy and full Two Factor because Authy provided me the flexbility and failsafes to complete the loop that KeePass started. I now feel comfortable with appropriately complex passwords on everything. I don't worry about having to enter them on my phone because KeePass has android ports that can access a cloud stored back up of my database. It's controlled (by me) it's uniform. I know how to do it on every site I need to do it on. It's practically unintrusive at this point in my life. The type of secuity I'll use is about how much I trust it, how consistent the experience is and how easy it is to use. Two Factor isn't hard and it's rigedly consistent.

    --
    Just another second banana
  36. Re:Locksmith, four seconds to unlock your house/ca by rtb61 · · Score: 1

    There is a way to bypass password security and remain secure. This can be done via localised password applications and an accepted password protocol. Basically you use a local application with one password to create the password required to access the remote site. So in future that site sends a request for your password and you either allow to block your local password app from sending the password (which can of course be extremely long and complex and even rotate from access to access by handshaking with the password request site). You can automate that local permission or use a simple pin or for the slightly fussier your favourite 'threewordpassphrase' with no spaces. Each and every web site you connect to, from each individual appliance (multiple password access, with the originating appliance allowing, new appliances), with a unique complex rotating password. Just needs an agreed protocol to make it possible.

    --
    Chaos - everything, everywhere, everywhen
  37. Taking "keylogging" to a whole new level! by Anonymous Coward · · Score: 0

    This is great news! Using plaing easy loggable data as an authentication system. What could possibly go wrong?

  38. So, in order to change /this/ password... by shabble · · Score: 1

    ...I need to ... what? Chop a leg off? Move house?

    Sounds like another version of "use something you can't change as a password, rather than as a user id."

    --
    http://harridanic.com
  39. I want it to be more secure, not less by bernywork · · Score: 2

    I want to be able to write rules, so that, if I'm at home (Geo-location) and connected to the wireless, then you only need a simple unlock code.

    If I'm out and about, I want it to be looking for my smart watch before it will unlock, or otherwise a yubikey (NFC).

    If you want to get into my work section of my device you need *all* the above. Bluetooth, NFC and a strong unlock code.

    If you don't have any of this stuff, no unlock. If you fail auth 7 times, full brick. Device destroyed.

    I don't want to reward people who would mug me for my phone, if we got to the point where the devices are a worthless lump without an unlock, then people won't steal from you. Remove the incentive, remove the crime.

    --
    Curiosity was framed; ignorance killed the cat. -- Author unknown
  40. Recaptcha proved they are incompetent by Anonymous Coward · · Score: 0

    Recaptcha is supposed to track your mouse and typing patterns, to let you avoid typing or clicking images. So far, it's let me avoid it less than 1% of the time, and I doubt my patterns vary that much.

    So, Google has proved they are incompetent at using patterns for authentication.

  41. Hi, I'm on vacation by Anonymous Coward · · Score: 0

    and now my phone doesn't trust me.
    Oh sure, someone will say you can get around this.
    thus begins the every increasingly annoying dance of authentication, channelling through multiple other services, pulling out passwords I never use, and other various five steps from my original intent actions until I want to scream in frustration.

  42. Walk a Mile in my shoes by allo · · Score: 1

    before you can login to my gmail.