Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google's Open YOLO Project Will Remove the Need For Passwords On Android (thenextweb.com)

Posted by msmash on from the yolo dept.

An anonymous reader writes via a report on The Next Web: Google is partnering with password management service Dashlane to build what they're calling Open YOLO (You Only Login Once), a new API that will allow Android apps to securely access your login credentials to sign you in without any fuss. The project is open source, which means anyone can scrutinize the code used to build it and find bugs, or even contribute and improve the API. That also means that it'll be available for other password management services to implement in their tools. Dashlane will be the first to integrate it; the company noted in a blog post that other services are also collaborating on this project and will likely to follow soon. It also hopes that Open YOLO will eventually launch on other operating systems as well.

15 of 91 comments (clear)

  1. "... sign you in without any fuss." by Anonymous Coward · · Score: 3, Funny

    Or security when someone runs off with your phone. But it's all good because YOLO.

    1. Re:"... sign you in without any fuss." by swillden · · Score: 4, Informative

      Or security when someone runs off with your phone. But it's all good because YOLO.

      This is why you need to password-protect your phone.

      On a recent Android device, one launched with Marshmallow, password authentication is usually implemented in the Trusted Execution Environment (TEE), including doing brute force mitigation (exponentially-increasing delays after failed authentication attempts) in the TEE. On such a device, even a four-digit PIN is pretty strong, as long as you don't get shoulder-surfed. I say "usually" because this TEE-based password authentication feature was not made mandatory in Marshmallow (which should be rectified for Nougat... though only for devices that initially launch with Nougat). However, the vast majority of devices launched with Marshmallow do have it.

      If your phone is well-protected, then YOLO makes a lot of sense.

      (Disclosure/Disclaimer: I'm a Google Android engineer. I work on the TEE-based authentication component, but not on YOLO.)

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  2. OH, good by Anonymous Coward · · Score: 2, Insightful

    Now all my online accounts can have one point of hacking failure.

    GREAT idea.

  3. Because I WANT to share the same password with all by gurps_npc · · Score: 3, Interesting

    You don't use the same password for your email as you use for your bank account because you want to make sure that when one is compromised, the other is not.

    Using a single login is just a slightly easier version of using the same password for all your accounts.

    It is JUST as stupid as using the same password for your every account.

    The only difference is that the people with your password are promising not to steal money from you outright.

    They don't promise to respect your privacy in any way, because they are planning on abusing the crap out of it.

    Trusting someone that's outright plan is to abuse your trust is not a smart thing to do.

    --
    excitingthingstodo.blogspot.com
  4. Better, Faster, Stronger. by CrashNBrn · · Score: 3, Funny

    Lets reimplement OpenID! Now with 100% more YOLO.

  5. I hate SSO. by sims+2 · · Score: 2

    I hate single sign on there is no reason I shouldn't be able to login to a separate account for email and for youtube. Leave the apps separate please!

    --
    Minimum threshold fixed. Thanks!
    1. Re:I hate SSO. by pla · · Score: 2

      You can - Just make separate accounts for the two separate functions. Really that easy.

      Hell, half the internet already accepts SSO via Google, Facebook, or Twitter; I do not use any of those to log in anywhere except Google, Facebook, or Twitter.

  6. Like corporate SSO? by GreenEnvy22 · · Score: 2

    So it's similar to the many different SSO products on the market for corporate use, but made for personal use. We implemented SSO at work earlier this year. Some of our apps are able to integrate directly into it (and it links back to Active Directory) like Google Apps and Salesforce. Other apps it just acts as a password manager and will paste in their login info for them once the user enters it once. Having the same concerns about having all this accessible if you break one account, we made it harder to break into that one account. We enforce 2 factor authentication, so you need a mobile device linked to your account that sends a confirmation in. All mobile devices connecting to our systems have to have PIN's on them and wipe after 10 bad tries. So for someone to break into a user account, even if they get the password, they still can't login online with it unless they physically also have the users phone, and have managed to unlock that as well. With the users password they could login to a workstation at the office, but they'd still get the 2FA prompt before they can get at e-mail or any other web based apps.

  7. Wow! Google is getting creepier and more stupid! by cpotoso · · Score: 2

    This is incredible... why in the world would I want to allow a single-point compromise (i.e., hacked phone) result in total control of all of my accounts? Creepy and stupid. I really think google developers are out of control. The company products are getting less and less attractive.

  8. Re:God Help Us All by kheldan · · Score: 3

    What could possibly go wrong?

    Aside from, as you allude to, everyone rummaging through our collective underwear drawers when we're not home? How about 'one-stop shopping' for hackers looking to score metric assloads of access and personal data?

    --
    Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
  9. Re:God Help Us All by zlives · · Score: 2

    you failed at "single sign-on"

  10. Re:Because I WANT to share the same password with by NotInHere · · Score: 3, Interesting

    Yeah I'll probably never use that app, but I find the idea of an open API super useful, because I'm sure someone will implement an open source app that I can trust, and thanks to the API, it will be supported everywhere.

  11. Re: God Help Us All by PopeRatzo · · Score: 2, Funny

    What's already gone wrong is that open YOLO makes me think of gaping assholes.

    To be fair, almost everything makes you think of gaping assholes.

    --
    You are welcome on my lawn.
  12. Re:Because I WANT to share the same password with by Solandri · · Score: 4, Informative

    It's be stupid to use this with your bank account. But I do have a dozen or so forums I occasionally post on and other sites which really shouldn't require an account, but they force you to make one to get access (e.g. they only let you read 3 forum posts a day anonymously). Those are basically throwaway accounts so I use the same password with them anyway. Something like this would be handy for that. Though as it's been pointed out, OpenID already tries to do that.

    It's actually safer than re-using the same password on multiple sites as I've been doing. If you use the same password, if one site gets hacked, they have your password to all the other sites. With YOLO or OpenID, since the login confirmation is between the site and YOLO/OpenID, the damage is limited to the site which got hacked. They only get access to all your accounts if they hack YOLO/OpenID or your computer.

  13. Login Once P0wn3d Everywhere by Thud457 · · Score: 3, Funny

    YOLO - You Only Lose Once

    --

    the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff