Google Works On New Alternative To Password

John Lister's picture

Google is working on an option to replace password logins on mobile devices with a "trust score" based on multiple factors. The idea is to combine all sorts of factors that aren't secure enough on their own.

The idea is to balance the need for security with the hassle of remembering passwords by building on the concept of two-factor authentication. That's an existing philosophy that deals with the inherent weakness of using a single login factor such as a password. Two-factor authentication combines a password with another factor such as using a specific device or having access to a physical hardware 'key', such as a USB stick.

Using multiple alternatives to passwords is a difficult balancing act. Many factors are weak in security terms, so relying on one or a couple will be much less secure than the traditional password. However, having a long string of factors that must all be used could be inconvenient: if there's any technical problem or any margin of error with verifying one factor, a legitimate user could be locked out.

Trust Score '10 Times More Secure'

Google's answer is called Trust API and works by combining multiple factors to produce a score. Rather than have to meet an entire checklist, the user would have to score enough points overall to pass a threshold. Google claims combining factors in this way could be 10 times more secure than a traditional password. (Source: theguardian.com)

Many of these factors won't rely on memory as happens with a password. Instead, they will include many biometric factors from facial recognition to patterns in the way users type or swipe on a touchscreen. They may also include geographic factors such as whether the phone is in a "usual" location at a particular time.

The score could be calculated automatically. If a user failed to get the necessary number of points, the system could then ask for a password as a back-up. This could happen if, for example, the user had unexpectedly left town when they would normally be at work and thus "lost" points for location.

Sensitive Apps Require Higher Score

Google says companies using the system would be able to set the required score, the idea being that sensitive apps such as online banking would have a very high threshold, while apps that simply used a password to personalize an app (such as your favorite baseball team in a live scores app) would require only a low score.

The system will be tested this summer with "several very large financial institutions." If that goes to plan, it will be offered to all Android developers later this year. (Source: pcmag.com)

What's Your Opinion?

Is this a sensible alternative to passwords? Can you foresee any shortcomings? Would you be happy to use a "trust score" to login to apps?

Rate this article: 
Average: 4.8 (5 votes)

Comments

Dennis Faas's picture

My insurance representative that comes to visit me every so often has to carry a wireless dongle (key) that displays a series of numbers. Whenever he has to login to his computer, he has to enter a secure password (which changes every so often), plus the code which is broadcast to the dongle. By the sounds of it, the Google Trust API probably has something similar to this, which would be an incredibly secure way to manage logins - though, might be inconvenient for most folks especially if they do not have access to a smartphone (and/or data plan).

matt_2058's picture

I don't have a problem with it, especially if the method is optional for those that don't want it. The site could offer something very secure for daily needs, then offer an option for times it's not possible to meet the strict requirements. Perfect example is for when someone is traveling.

It will be interesting to see what criteria will be used for authentication....IP address, mac address, OS, browser? And have a dongle as Mr Faas mentioned for daily or traveling access.

How about a feature to lock the account, allowing access only as specified prior to lockdown? I have no need to access financial or medical records 10am to 3am, so lockdown is great. And you could change the access privileges in a few hours if your needs change.

spiras's picture

I don't think the Trust Score will strengthen security.

I'll explain with an example: let's say my smartphone is stolen. The thief can't log in to websites requiring a Trust Score because he/she doesn't have my face/location/swipe style etc. But there will always be a way to bypass the Trust Score - such as using a password. Otherwise users will find themselves locked out without any prior warning when their Trust Score falls for any reason.

But that defeats the whole purpose of having a Trust Score. So we're back to square one. You'll always need a password "just in case". So all a thief will need is your password, just as is the case now.

dwiltzen_7016's picture

Not only do they have access to our information now, they want to record our our choices of time location friends enemies likes hates and then be able to shoot at us information paid advertising sent to tickle our interest. Big brother mind reading, then using it to make money.
If it was to make it easier for us it is making google the Bigger Bother.

gbruce40_3626's picture

I use Lastpass to generate passwords. It is generally very good. However when I access my bank I must enter my bank account number like xxx xxx-xxx-xxx followed by my secure password. Works great except when the bank randomly asks for additional information that I have supplied them with, like my city of birth or any of up to 10 other questions that only I would know.
When this happens Laspass thinks it is being asked for my password again and no matter how fast I can input the information being asked for, Lastpass is faster and inputs the password. After three attempts, my bank locks me out and I have to physically visit the bank and have them unlock my account. This has happened twice now and I realized that I have to disable Lastpass when accessing the bank, or any other website that uses a similar system.
This is just an example of how a good system can be made unusable. No matter how complex you make a system, it will be compromised in time by companies doing their own thing to make their sytem even more secure, or by a crook figuring out how to defeat it.
If the crook is so clever to defeat these systems, why is he not clever enough to get a real job and make him/herself legally rich.
I am now 75 years old and whatever you do to improve security will without doubt make my internet life increasingly difficult.