Slashdot Mirror
Google Plans To Bring Password-Free Logins To Android Apps By Year-End (techcrunch.com)
An anonymous reader shares a report on TechCrunch: Google's plan to eliminate passwords in favor of systems that take into account a combination of signals -- like your typing patterns, your walking patterns, your current location, and more -- will be available to Android developers by year-end, assuming all goes well in testing this year. In an under-the-radar announcement Friday afternoon at the Google I/O developer conference, the head of Google's research unit ATAP (Advanced Technology and Projects) Daniel Kaufman offered a brief update regarding the status of Project Abacus, the name for a system that opts for biometrics over two-factor authentication. With Project Abacus, users would unlock devices or sign into applications based on a cumulative "Trust Score." This score would be calculated using a variety of factors, including your typing patterns, current location, speed and voice patterns, facial recognition, and other things.The Trust API will be available to developers, who can then implement that into their apps. The company says that developers will have the option to adjust the threshold required for a trust score.
What on earth is wrong with two factor authentication? I can't see these being more secure.
....now they want me to start using authentication that assumes that I keep my same physical abilities all my life.
HAHAHAHAHAno.
Finding God in a Dog
Well, awesome.. My "password" to everything will be my couch. Guess it's fitting that would be the key to my online world, it's already the key to my real life one.
Good luck getting that to work when you're drunk and trying to order up an Uber.
"I need -hic- whoa I need a uber to get home"
UNAUTHORIZED USER
"No like really man, open up and order me a..."
UNAUTHORIZED USER
"Oh fu...fu... fine... hic... Oh wait"
UNAUTHORIZED USER"
"SHADDUP THAT WASN'T AN ATTEMPT"
UNAUTHORIZED USER
"wait wait... my voice is.. my passport, verify me?"
UNAUTHORIZED USER
"FUG YOU... Ima just gonna llie down on this soft concrete now..."
"Oh dude... check out this guys awesome phone, grab it!"
User accepted, have a nice day.
"sweet!"
"The company says that developers will have the option to adjust the threshold required for a trust score."
My bank will set the threshold at MaxScorePossible+2
I've given up on online banking as they use a 3rd party program which requires a bank-generated login name and account key, plus an extensive password requirement list, and a 30 day login timeout (if you don't login every 30 days or less you have to go to a branch to have login and key reset, and a new password issued. Via snail mail).
Is it just my observation, or are there way too many stupid people in the world?
The use of walking pattern as an identity feature has been tried by a few people. Some of the first research on this was done by Ari Trachtenberg and his students at Boston University. I remember being very impressed when they presented the basics and found the idea of using the accelerometer to measure how one was walking to be pretty neat. They were careful to emphasize that it wasn't by itself ideal or unique identitifier. So in this context, combining it with other signals makes a lot of sense.
Or go visit an old friend you haven't seen in years.
Or injure your legs.
There are two types of people in the world: Those who crave closure
It sounds like this biometric-based "trust score" will just be an additional verification factor... So I am not sure why they are saying it is going to replace 2nd factor.... it will BE the second (or third) factor...
Also, being a second factor implies that this will not unlock your device by itself... it will just be an additional "verification" on your unlock method... like: I see that you got the unlock dot sequence technically correct, but you did it in a swiping style that is inconsistent with all your previous unlocks... so no login, try again.
So, saying that it will remove the needs for passwords is... well... lying really.
I mean, how would that work even if it was true? Phone: "Walk around a bit to unlock." what?
I mean, the tech is neat, but it would seem as though the article is getting some facts completely wrong... either that, or I am not understanding this correctly...
My eyes reflect the stars and a smile lights up my face.
Google: Let's just try all kinds of shit and see what works and what doesn't.
Apple: We're not going to tell anybody what we're doing until it's perfect and may kill it before release.
They are two competitors with very very different approaches. I can't wait to see how this plays out in the long term! More entropy? Or less?
I am not interested in articles about life extension advancements.
So they want a technology that can accurately identify me by all sorts of unconscious traits. This would make any form of anonymity impossible.
I completely understand why Google wants this - collecting and selling information is their business model. I don't understand why *I* as a customer would want it.
What an incredibly stupid way to blow through CPU cycles. Seriously, use my local processing power for things I want, like local search, voice interaction and navigation which can work offline / from cache consistently.
There is a second HUGE problem with this. Any app can gather sufficient biometrics to falsify a Trust Score. Even worse, unlike say an intentionally malicious app which could just replace your keyboard app and grab passwords by key logging, advertising and other agencies could request little pieces of biometrics and heuristics from different sources in innocuous ways until a complete picture for forging a Trust Score emerge.
Didn't we just go over the bit about RunKeeper recording and then passing along a fairly nice stack of location / movement statistics?
Do not want. Courts can, and do, compel people to provide bio-metric data, as that is not protected by the 5th Amendment. Only passwords and pass-phrases are protected. Government agencies would LOVE this trend, especially if it became the only form of authentication on your device(s), as they wouldn't need a back door to your encryption anymore. Do not accept this weakening of your security.
This sig intentionally left blank.
This seems horrible in every way possible.
What Google is really saying is that they're tracking so many user behaviors that you will not be able to hide behind an alias.
Oh great, security by any number of diffuse signals you—the user—don't entirely trust and can't functionally verify against either Type I and type II errors.
As it stands at the moment, Android devices take months to get security and OS updates, if they get them at all. For me, that is, BY FAR, the biggest disadvantage of Android-based devices. Any difficulties or annoyances due to the need to type in a password absolutely pales in comparison to the apparently lax security policies of the Android environment.
What problem is this trying to solve? And more importantly, why is google collecting this specific information about users and once collected, how else will it be used and by whom? Maybe that's why the announcement was "low key." They were hoping it would go unnoticed.
Google still finding innovative ways to lock you out of your accounts.
face recognition, nope! normal walking pattern, hell.. unlocking phone to take a selfie.. denied. maybe this is a good thing after all. how about running from a mugger use case? face recognition, tough after a punch to the face running pattern, def not normal calling 911, better hope the phone has emergency dial from locked screen.
Since I don't see how these "signals" could be used to reliably product a cryptographic key to unlock the data, seems to me like they are inherently inferior to the password.
Why take a step backwards technologically from something bad but workable to something unworkable?
"I opened my eyes, and everything went dark again"
Are we just saying F*** you to MDM and companies who allocate company owned cell phones to their employees? This is not a problem that needs to be solved.
When I used to do locksmith work, it would take me a few seconds to unlock your car or house if you locked the key inside. Customers were happy that I could bypass the security for them.
Now that I work in information security, most people seem to think something is horribly wrong if I'm able to bypass the security.
There is an appropriate level of security for each use case. Neither your apartment nor your Slashdot account needs to be an impenetrable fortress that even the CIA can't get in to . Sometimes, convenience does trump security.
On the other hand, if the CIA (or any other Federal or local organization, whether related to law enforcement or not) wishes to come into your house, the following are typically true:
(1) You know about it.
(2) It costs them a *significant* amount of money (have to pay the people to go out and knock on / bust down your door).
(3) There is huge risk of negative PR for them if they don't find what they're looking for.
(4) They need a warrant from a judge.
(5) Because of all the above, they have to be pretty darn sure that you're involved in some kind of crime before they do it.
None of these factors will necessarily be true if we allow the government to have encryption backdoors. They can just passively monitor the population whenever they choose to (which, other factors notwithstanding, would be "always") for any signs of disobedience. And in their quest to be ever-watchful and more and more effective at fighting crime and terrorism, they will soon step up their efforts to "next-level" attack prevention, like thought police -- just typing a few characters into Google, writing an opinion piece, or expressing certain ideas could get you labeled as a deviant and thrown away in jail.
In closing, I will quote you the mission of the CIA from Wikipedia:
"The Central Intelligence Agency is a civilian foreign intelligence service of the U.S. Government, tasked with gathering, processing and analyzing national security information from around the world, primarily through the use of human intelligence."
In what world is it anywhere remotely within their jurisdiction, for an organization that is not law enforcement and whose gaze should be *outward* to other countries rather than *inward* to the US, to insert themselves into the communications of US citizens, in an automated, computerized way (instead of "human" as the mission says), for the purposes of law enforcement, which is not at all part of their mission?
No, I'm not okay with the CIA deciding they'd like to get into my online presence in any capacity beyond what I post publicly. Private means private. I'm perfectly fine with losing my data permanently if I lose the access credential, precisely because making a "oops" key is exactly as insecure as making a backdoor for the three-letter acronym agencies.
And like I said, whereas it requires a number of checks and balances accompanied with a high degree of confidence for these guys to come knocking at your house, it requires basically nothing at all -- not even the faintest hint of suspicion -- for them to decrypt, monitor and analyze your private data. Your only defense is to swallow the key and pray there's no backdoor in your crypto.
*That* sounds secure. /s
You're wanking because you were denied access!
When I used to do locksmith work, it would take me a few seconds to unlock your car or house if you locked the key inside. Customers were happy that I could bypass the security for them.
Now that I work in information security, most people seem to think something is horribly wrong if I'm able to bypass the security.
There is an appropriate level of security for each use case. Neither your apartment nor your Slashdot account needs to be an impenetrable fortress that even the CIA can't get in to . Sometimes, convenience does trump security.
that's why I used to use a three password system. One simple alpha password for accounts that don't matter and then a beta and gamma passwords for sort of secure and really secure accopunts respectively and then a delta password for my email. Nowadays I use a Password Manager and Two Factor Authentication for every place that allows it. I use KeePass because while I'm pretty careful I wasn't help with the security of a 3+1 password system nor the flexibility such as the fact that I tended to use Alpha for everything and only switch when that site got hacked. I started to use Google Authenticator but I hit that phone failsafe issue where I was constantly worried about what happened if my phone was off or dead or lost. The fact that I had to go through a version of that when I switched phones only cemented my fears. I ended up at Authy and full Two Factor because Authy provided me the flexbility and failsafes to complete the loop that KeePass started. I now feel comfortable with appropriately complex passwords on everything. I don't worry about having to enter them on my phone because KeePass has android ports that can access a cloud stored back up of my database. It's controlled (by me) it's uniform. I know how to do it on every site I need to do it on. It's practically unintrusive at this point in my life. The type of secuity I'll use is about how much I trust it, how consistent the experience is and how easy it is to use. Two Factor isn't hard and it's rigedly consistent.
Just another second banana
There is a way to bypass password security and remain secure. This can be done via localised password applications and an accepted password protocol. Basically you use a local application with one password to create the password required to access the remote site. So in future that site sends a request for your password and you either allow to block your local password app from sending the password (which can of course be extremely long and complex and even rotate from access to access by handshaking with the password request site). You can automate that local permission or use a simple pin or for the slightly fussier your favourite 'threewordpassphrase' with no spaces. Each and every web site you connect to, from each individual appliance (multiple password access, with the originating appliance allowing, new appliances), with a unique complex rotating password. Just needs an agreed protocol to make it possible.
Chaos - everything, everywhere, everywhen
What I do is root my phone and run a firewall on it. The firewall blocks all traffic, in or out, from any app unless I specifically allow it. That way, I don't have to know what IP addresses to block -- I just block everything.
...I need to ... what? Chop a leg off? Move house?
Sounds like another version of "use something you can't change as a password, rather than as a user id."
http://harridanic.com
I want to be able to write rules, so that, if I'm at home (Geo-location) and connected to the wireless, then you only need a simple unlock code.
If I'm out and about, I want it to be looking for my smart watch before it will unlock, or otherwise a yubikey (NFC).
If you want to get into my work section of my device you need *all* the above. Bluetooth, NFC and a strong unlock code.
If you don't have any of this stuff, no unlock. If you fail auth 7 times, full brick. Device destroyed.
I don't want to reward people who would mug me for my phone, if we got to the point where the devices are a worthless lump without an unlock, then people won't steal from you. Remove the incentive, remove the crime.
Curiosity was framed; ignorance killed the cat. -- Author unknown
before you can login to my gmail.