Google's Open YOLO Project Will Remove the Need For Passwords On Android (thenextweb.com)

← Back to Stories (view on slashdot.org)

Google's Open YOLO Project Will Remove the Need For Passwords On Android (thenextweb.com)

Posted by msmash on Friday August 5, 2016 @03:25AM from the yolo dept.

An anonymous reader writes via a report on The Next Web: Google is partnering with password management service Dashlane to build what they're calling Open YOLO (You Only Login Once), a new API that will allow Android apps to securely access your login credentials to sign you in without any fuss. The project is open source, which means anyone can scrutinize the code used to build it and find bugs, or even contribute and improve the API. That also means that it'll be available for other password management services to implement in their tools. Dashlane will be the first to integrate it; the company noted in a blog post that other services are also collaborating on this project and will likely to follow soon. It also hopes that Open YOLO will eventually launch on other operating systems as well.

47 of 91 comments (clear)

Min score:

Reason:

Sort:

God Help Us All by Anonymous Coward · 2016-08-05 03:30 · Score: 1, Insightful

It's like, how about we just let everybody look at our shit, and fuck privacy already, right?\
Let's just try it and see what happens. Why not?
What could possibly go wrong?
1. Re: God Help Us All by Anonymous Coward · 2016-08-05 03:40 · Score: 1
  
  That's brand recognition!
2. Re:God Help Us All by kheldan · 2016-08-05 04:08 · Score: 3
  
  What could possibly go wrong?
  Aside from, as you allude to, everyone rummaging through our collective underwear drawers when we're not home? How about 'one-stop shopping' for hackers looking to score metric assloads of access and personal data?
  
  --
  Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
3. Re:God Help Us All by tripleevenfall · 2016-08-05 04:10 · Score: 1
  
  If only someone could come up with a single sign-on solution in the mobile space that a thief couldn't use, like if it scanned your thumbprint or something.
4. Re:God Help Us All by zlives · 2016-08-05 04:16 · Score: 2
  
  you failed at "single sign-on"
5. Re: God Help Us All by PopeRatzo · 2016-08-05 04:24 · Score: 2, Funny
  
  What's already gone wrong is that open YOLO makes me think of gaping assholes.
  To be fair, almost everything makes you think of gaping assholes.
  
  --
  You are welcome on my lawn.
6. Re:God Help Us All by kheldan · 2016-08-05 04:24 · Score: 1
  
  2016:
  Still using single-factor authentication
  Pretending your data and accounts are 'secure'
  {click for reaction visual}
  
  I have Bad News for you, sir: You don't understand what 'secure' means.
  
  --
  Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
"... sign you in without any fuss." by Anonymous Coward · 2016-08-05 03:30 · Score: 3, Funny

Or security when someone runs off with your phone. But it's all good because YOLO.
1. Re:"... sign you in without any fuss." by swillden · 2016-08-05 05:28 · Score: 4, Informative
  
  Or security when someone runs off with your phone. But it's all good because YOLO.
  This is why you need to password-protect your phone.
  On a recent Android device, one launched with Marshmallow, password authentication is usually implemented in the Trusted Execution Environment (TEE), including doing brute force mitigation (exponentially-increasing delays after failed authentication attempts) in the TEE. On such a device, even a four-digit PIN is pretty strong, as long as you don't get shoulder-surfed. I say "usually" because this TEE-based password authentication feature was not made mandatory in Marshmallow (which should be rectified for Nougat... though only for devices that initially launch with Nougat). However, the vast majority of devices launched with Marshmallow do have it.
  If your phone is well-protected, then YOLO makes a lot of sense.
  (Disclosure/Disclaimer: I'm a Google Android engineer. I work on the TEE-based authentication component, but not on YOLO.)
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
2. Re:"... sign you in without any fuss." by Khyber · 2016-08-05 08:44 · Score: 1
  
  Before you guys work on authentication try making a mobile OS that doesn't need GHz+ processing speeds and 4GB+ RAM to be fucking useful. We had videos and games and shit on 533MHz Pentium 3 with 256-512MB RAM and if lucky a 64-128MB GPU, and a responsive and fast operating system. You seem to able to achieve almost none of this, and that technology is from the late 90s.
  Tell your Google overlords to get the fuck back to basics. MenuetOS could eat your lunch if they hit the mobile space.
  
  --
  Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
3. Re:"... sign you in without any fuss." by Z80a · 2016-08-05 13:54 · Score: 1
  
  Actually, even a beefy Amiga could be snappy as hell.
  But bad programmers gotta bad program.
4. Re:"... sign you in without any fuss." by swillden · 2016-08-06 01:34 · Score: 1
  
  Before you guys work on authentication try making a mobile OS that doesn't need GHz+ processing speeds and 4GB+ RAM
  That sort of mobile OS is apparently not what people want, because no one is making one of those (ignoring your exaggeration about RAM requirements).
  
  MenuetOS could eat your lunch if they hit the mobile space.
  Sounds good to me. Someone should do it.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Another terrible idea by JustAnotherOldGuy · 2016-08-05 03:32 · Score: 1, Flamebait

Another terrible idea thought up by some bored ding-dong at Google.

--
Just cruising through this digital world at 33 1/3 rpm...
1. Re:Another terrible idea by Flavianoep · 2016-08-05 03:37 · Score: 1
  
  It's because passwords look too outdated. Lets substitute something lean and brand-new that will last no more than a decade.
  
  --
  Linux is for people who don't mind RTFM.
2. Re:Another terrible idea by Anonymous Coward · 2016-08-05 03:46 · Score: 1
  
  It's because passwords look too outdated. Lets substitute something lean and brand-new that will last no more than a decade.
  I can't believe I'm saying this, but I almost hope that systems that implement this get hacked to death in order to shorten that window of pain and stupidity.
OH, good by Anonymous Coward · 2016-08-05 03:33 · Score: 2, Insightful

Now all my online accounts can have one point of hacking failure.
GREAT idea.
1. Re:OH, good by MerlinTheWizard · 2016-08-05 04:07 · Score: 1
  
  Exactly. Obsessive centralization has been the hallmark of the XXIst century so far. And you thought that was gone with the USSR. Not so. It just shifted from political to economical, but it still has its use politically. One password for everything means that, not only hackers, but governments can tap into anyone's data with a single entry point and no need to use complex tools.
2. Re:OH, good by allo · 2016-08-07 09:24 · Score: 1
  
  nothing new, if you use login with google/facebook/twitter everywhere. Even Slashdot let's you use your openid stuff.
HHGTTG by spiritplumber · 2016-08-05 03:34 · Score: 1

Didn't Douglas Adams write about this?

--
Liberty - Security - Laziness - Pick any two.
Because I WANT to share the same password with all by gurps_npc · 2016-08-05 03:36 · Score: 3, Interesting

You don't use the same password for your email as you use for your bank account because you want to make sure that when one is compromised, the other is not.
Using a single login is just a slightly easier version of using the same password for all your accounts.
It is JUST as stupid as using the same password for your every account.
The only difference is that the people with your password are promising not to steal money from you outright.
They don't promise to respect your privacy in any way, because they are planning on abusing the crap out of it.
Trusting someone that's outright plan is to abuse your trust is not a smart thing to do.

--
excitingthingstodo.blogspot.com
Track you everywhere with one password ! by Anonymous Coward · 2016-08-05 03:38 · Score: 1

Now they'll be able to track you all over the web from one convenient login. No thanks. Not using it.
People *really* need to start kicking back against all this crap now. It's almost too late. Soon the internet will be single log, in total tracking, no anonymity, no freedom of information etc. etc.
Better, Faster, Stronger. by CrashNBrn · 2016-08-05 03:43 · Score: 3, Funny

Lets reimplement OpenID! Now with 100% more YOLO.
1. Re:Better, Faster, Stronger. by ausekilis · 2016-08-05 04:30 · Score: 1
  
  And here I thought that everybody that used that acronym had already taken their only selfies with the front bumper of speeding trains.
I hate SSO. by sims+2 · 2016-08-05 03:45 · Score: 2

I hate single sign on there is no reason I shouldn't be able to login to a separate account for email and for youtube. Leave the apps separate please!

--
Minimum threshold fixed. Thanks!
1. Re:I hate SSO. by pla · 2016-08-05 03:59 · Score: 2
  
  You can - Just make separate accounts for the two separate functions. Really that easy.
  
  Hell, half the internet already accepts SSO via Google, Facebook, or Twitter; I do not use any of those to log in anywhere except Google, Facebook, or Twitter.
2. Re:I hate SSO. by sims+2 · 2016-08-05 07:24 · Score: 1
  
  This goes back to a previous complaint I have with android phones. On android (maybe even on newer ios versions) if you sign into any amazon app you are automaticly signed in on every other amazon app so I can't be signed into an account with books and an account with movies at the same time.
  They are seprate apps why can't I have seprate logins?
  
  --
  Minimum threshold fixed. Thanks!
3. Re:I hate SSO. by Khyber · 2016-08-05 08:47 · Score: 1
  
  Because Amazon's programmers simply aren't that fucking smart and it's about time people realize it. The people that write game console emulators are smarter.
  I mean, Amazon used to have FurAffinity's fucking DRAGONEER working for them. That should tell you just how fucking stupid the company is.
  
  --
  Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
4. Re:I hate SSO. by Khyber · 2016-08-07 03:11 · Score: 1
  
  Uh, yea, when did you see the website code? Lying sack of shit. :D
  
  --
  Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Like corporate SSO? by GreenEnvy22 · 2016-08-05 03:52 · Score: 2

So it's similar to the many different SSO products on the market for corporate use, but made for personal use. We implemented SSO at work earlier this year. Some of our apps are able to integrate directly into it (and it links back to Active Directory) like Google Apps and Salesforce. Other apps it just acts as a password manager and will paste in their login info for them once the user enters it once. Having the same concerns about having all this accessible if you break one account, we made it harder to break into that one account. We enforce 2 factor authentication, so you need a mobile device linked to your account that sends a confirmation in. All mobile devices connecting to our systems have to have PIN's on them and wipe after 10 bad tries. So for someone to break into a user account, even if they get the password, they still can't login online with it unless they physically also have the users phone, and have managed to unlock that as well. With the users password they could login to a workstation at the office, but they'd still get the 2FA prompt before they can get at e-mail or any other web based apps.
1. Re:Like corporate SSO? by phishybongwaters · 2016-08-05 04:25 · Score: 1
  
  they don't even need your phone, just the number. They check the lists to see who your service provider is, then tell them some BS about having the phone/sim stolen, get the number ported to THEIR phone, and now your two factor is actually on their phone, then they bleed you dry. Ask the bunch of youtubers and streamers how that worked out for them.
2. Re: Like corporate SSO? by GreenEnvy22 · 2016-08-06 04:16 · Score: 1
  
  If you were doing SMS based two factor you'd be right. We don't however.It's has an app on your phone that generates a new 6 digit code every 30 seconds. Each phone is unique, so the provider couldn't do anything to help the attacker. Even reinstalling the app generates a new instance of the app that needs to be registered with us. Also in the above scenario, the thief still doesn't have the users password, so wouldn't get to the 2nd factor. User can call IT from another phone and we can lock down the account, and if phone still online, track, lock, or wipe it.
3. Re: Like corporate SSO? by jsh1972 · 2016-08-06 21:23 · Score: 1
  
  AND your squirtle!
Wow! Google is getting creepier and more stupid! by cpotoso · 2016-08-05 04:04 · Score: 2

This is incredible... why in the world would I want to allow a single-point compromise (i.e., hacked phone) result in total control of all of my accounts? Creepy and stupid. I really think google developers are out of control. The company products are getting less and less attractive.
Re:Because I WANT to share the same password with by NotInHere · 2016-08-05 04:17 · Score: 3, Interesting

Yeah I'll probably never use that app, but I find the idea of an open API super useful, because I'm sure someone will implement an open source app that I can trust, and thanks to the API, it will be supported everywhere.
Re:Because I WANT to share the same password with by Solandri · 2016-08-05 04:24 · Score: 4, Informative

It's be stupid to use this with your bank account. But I do have a dozen or so forums I occasionally post on and other sites which really shouldn't require an account, but they force you to make one to get access (e.g. they only let you read 3 forum posts a day anonymously). Those are basically throwaway accounts so I use the same password with them anyway. Something like this would be handy for that. Though as it's been pointed out, OpenID already tries to do that.

It's actually safer than re-using the same password on multiple sites as I've been doing. If you use the same password, if one site gets hacked, they have your password to all the other sites. With YOLO or OpenID, since the login confirmation is between the site and YOLO/OpenID, the damage is limited to the site which got hacked. They only get access to all your accounts if they hack YOLO/OpenID or your computer.
Re:Wow! Google is getting creepier and more stupid by Anonymous Coward · 2016-08-05 04:25 · Score: 1

Because people don't log into ads, and advertisers want you to log in to view ads. Now shut up and accept what Google is going to do with their phone that they let you use.
Login Once P0wn3d Everywhere by Thud457 · 2016-08-05 04:28 · Score: 3, Funny

YOLO - You Only Lose Once

--
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
1. Re: Login Once P0wn3d Everywhere by fubarrr · 2016-08-06 10:55 · Score: 1
  
  Why googlers are so stupid?
Re:Because I WANT to share the same password with by LeadSongDog · 2016-08-05 04:59 · Score: 1

Trusting someone that's outright plan is to abuse your trust is not a smart thing to do.
(Suppressing my inner grammar-nazi) So, who do you think is not going to abuse your trust? Of course, they'll be the next takeover target...

--
Oh, I'm sorry sir, I thought you were referring to me, Mr. Wensleydale.
Re:Because I WANT to share the same password with by SirSlud · 2016-08-05 05:05 · Score: 1

Clearly, this is a slippery slope to mandating that you use the same password for everything. /sarcasm
Obviously, it isn't .. for a bunch of low-importance websites, since normal people have dozens of logins at this point, you can at least share login details among similarly-ranked importance levels. And as somebody else pointed out, at least now when you regain control of a single login, you simultaneously regain control of all associated accounts rather than trusting that you're organized and have the time to go through and change them all.
So no, it is not JUST as stupid, and your entire point is predicated on the absurd notion that everyone is too dumb not to use the same login for their offshore tax haven accounts and their Reddit account except you.

--
"Old man yells at systemd"
multi-level preveleges everywhere by 4wdloop · 2016-08-05 06:40 · Score: 1

The SSO/YOLO will be here, we're lazy humans. So I need:
First level with a day use password, easy to "read", some "write" ability.
Second level an "elevated" privileges of the account etc. must have high barrier of entry, different password, call-me-in-person back to verify (not automated though like 2-step verification), single use codes etc. Some execute this when logging from a new device. That's good but not enough.
E.g. I want to check my bank account - "daily use". I want to conduct transfers or change password - "elevated" and hence much tougher authentication.
This way if my first SSO/YOLO gets broken in I could wipe out all the other password accounts in one step with my "elevated" and unbroken password that is not a YOLO. Yes this may not be convenient to execute but hopefully it does not happen very often?
On the other hand 2 step verification every time I use something is too annoying...

--
4wdloop
can we start with common password rules first? by 4wdloop · 2016-08-05 06:41 · Score: 1

It would be easier for me (a human) to remember and/or generate passwords if the rules where consistent across all web sites.

--
4wdloop
SQRL by Mike+Van+Pelt · 2016-08-05 07:19 · Score: 1

From the limited information, it looks like this is probably dependent on a centralized server somewhere doing the authentication. I would much prefer a system that is entirely between you and whatever sites you log into, with no central server to go down and take all your logins with it. SQRL seems like a pretty good approach. (But we're probably going to get stuck with a hundred different competing incompatible systems.)
Re:Because I WANT to share the same password with by mjm1231 · 2016-08-05 07:38 · Score: 1

You don't use the same password for your email as you use for your bank account because you want to make sure that when one is compromised, the other is not.
If a thief has your email, then most likely they can use that to reset your bank account password.

--
Ideology: A tool used primarily to avoid the bother of thinking.
YOLO SWAG by StandardCell · 2016-08-05 09:12 · Score: 1

Secretly We Are Google And yes, welcome to OpenID circa a decade ago...
Yolo, indeed by allo · 2016-08-07 07:49 · Score: 1

Authorization? Why authorization? Fuck it, we have your data anyway.
Re:Because I WANT to share the same password with by allo · 2016-08-07 09:28 · Score: 1

It's better and worse.
if somebody controls your googleaccount he controls everything and probably even knows where the login works. Okay. But you can choose a strong password and 2FA. You will probably be secure and if there is a hack, it has a large impact and everyone will react.
If you use the same password everywhere, people do not know where else you used it (but can guess with your e-mail and password combo), but you have a lot of different hashes, some insecure and sometimes maybe not hashed at all. So if then a weak site loses it (and the odds that a site without good security doesn't use good hashing either are large), they have your password for everything.
If your password gets lost, you need to reset it on 100 sites. If your google acc ist hacked, you need to lock it one time fastly, then change the password one time to a secure one.
So both approaches have ups and downs. And both lose to one-password-per-site with 2FA per site where available.