We’ve written many times about the latest and greatest new technology that says it will supplant the password.
Of course, with password managers to take care of ch00sing c0MPl1c/\tEd p455WOrdz for us, and with two-factor authentication (2FA) to reduce the value of stolen or poorly-chosen passwords, you could argue that we no longer need to supplant passwords, because they’re easier than ever to use securely.
Password managers not only happily use passwords like 5G*wjcn@03lWRFq, where humans might end up going for PetsName99, but also associate passwords with specific websites, thus reducing the risk of being phished by putting a real password into a bogus web page.
2FA typically uses one-time login codes, delivered by SMS or generated by a special mobile app, that you need to enter along with your password, so that the password alone no longer lets crooks into your account.
Nevertheless, even if you use a password manager, you need a proper password for the password manager itself.
And even though 2FA makes things tougher for the crooks, it does add a small, extra step to the login process.
That’s enough inconvenience, known as friction in modern user interface jargon, to spur researchers worldwide to find ways of verifying who you are without asking you to enter long sTR1/\/gs of \/\/eird char4Ct3rz, especially if you’re using the fiddly virtual keyboards on today’s mobile phones.
What you really want
What you really want, say researchers into password replacement, is an authentication method that doesn’t involve a secret that you need to choose in the first place.
Nothing to memorise, and therefore nothing to forget; nothing that needs writing down; nothing that can easily be figured out or cloned by crooks; nothing that will ever need changing; nothing to type in.
In short: an automatic, or nearly-automatic, system that is at least as secure as 14 or more characters of randomly jumbled letters, digits, punctuations and emojis.
As you can imagine, solutions of this sort inevitably require some sort of biometric or behavioural data, such as your fingerprints, the pattern in your iris, your face, the way you speak and even, in one proposal we wrote up recently, the way your skull echoes. (Perhaps “how it conducts and reflects sound” is a less hollow way of putting that.)
There have been lots of problems with many of the password replacements proposed over the years.
For example, it turns out to be really easy to create dummy fingerprints – apparently, you can mould them from boiled-up gummi bears, or from liquid wood glue.
Face recognition needs to do sophisticated motion detection as well, lest a crook simply hold up a picture to the camera.
And most biometric solutions have the thorny issue that you can’t change your “password” if it should ever be compromised.
Google’s answer
Google thinks it has the answer: build the biometric measurements into the device and the operating system itself by tracking some, any or all of how you type, speak, move, and otherwise conduct your online life…
…so that the device can vouch for you at any moment.
Google’s Advanced Technologies and Projects division, or ATAP for short, calls it Project Abacus, and it’s supposed to keep track of your behaviour as you work, and maintain a rolling score called a Trust Score.
As far as we can see, your Trust Score is a sort of probability measure that the person who’s been using your phone for the past few minutes is the same person that has used it for the days, weeks or months before that.
By interrogating the Trust Score at any moment, an app can decide how much access to give you.
For example, perhaps you’re a good enough imposter to start playing an online game, but not realistic enough to make in-game purchases?
Perhaps you can click Facebook Likes, but not change the account password?
Maybe you can pay bills to existing creditors but not remit money to new accounts?
Sounds good, but we challenge you to watch the video below without getting creeped out at least a little:
What next?
Google has announced that financial institutions will start trialling the Trust Score system as soon as next month (June 2016).
Considering how frequently we have written in recent years about the insecurity of mobile apps, notably how they often seem to make a mess of the cryptographic security that their desktop counterparts have enjoyed for years…
…let’s hope that Google isn’t putting the security cart before the horse.
Tae
Google “supreme court biometric password” and you’ll know why I want to keep using a password.
Clifford Jones
Creeped out very much indeed, thank you. Your tag line “What if we combine lots of mobile device data to build a “Trust Score” so your phone can judge you in real time?” says it all, no reading between lines required.
The black leather and bling in the video magnifies the creep factor of the content by several magnitudes. She goes on to say that an “app” “has needs…” like food and water? No sir, I don’t trust this “device judging you” avenue one bit. To my taste we need less “machine knowledge” running our collective futures, not more.
Next thing you know they’ll figure out how “judge” revenue out of your cell phone like some sort of personal “red light camera.” You’ll pay indulgences to the state all day, for j-walking, wiping boogers on the escalator handle and such.
John
But who will guard the guardians?
Paul Ducklin
Their phones, of course :-)
John
Problem is, Google does not do this because they want so badly to help people. That’s just a by product they are using for all it is worth. The real reason, as for *everything* Google does, is to monetize on the user data they get by knowing so much about each user. I’m not impressed and will never take such a system in use.
g50p
I started listening to the Google IO on there subject but had to turn it off, that woman’s voice is sooooo annoying & grating.
Mike
Again, how is this going to work when an injured user tries to call emergency services? How much of the planned data is going to be unchanged by a broken arm and jaw?
Paul Ducklin
Presumably, regulators will require that emergency calls bypass this sort of lock. (You can already make emergency calls from your lock screen, or without airtime, or even without a SIM at all.)
avanschuylen
This is beyond being simply annoyingly creepy — including a woman with an irritating voice — I enjoy as much personal privacy as possible, and yet, according to GREEDY GOOGLE, they will try to be tracking all into about me…including me bathroom habits??!!!
Bryan
They may base identification on how you swype, but not likely on how you wipe.
:-)
Roger
This is all very well and good, but with an aging population of baby boomer who are getting all sorts of degenerative diseases what happens to accessing your phone after you have had a stroke, Parkinson’s or alsheimers??
Bryan
I hope this “Trust Score” never completely replaces my option for using a password. If I go on vacation I already use my phone in an unusual location and at pattern-breaking intervals. Alerting Google in advance–assuming that’s even an option–will only serve to whitelist thieves when I’m most likely to have my phone stolen. If all my gear were stolen, it would hinder authentication everywhere at a time crucial to authenticating quickly.
I don’t often use my phone’s browser, because I’m always near an easier-to-use desktop or laptop. On the day I’m shopping for a car and decide to burn through several dozen comparison sites, will my phone determine I’m too unorthodox and no longer me right now?
I’m no AI expert, but this sounds too complicated to be foolproof or even close.
What about traveling salesmen or service technicians? I assume geolocation is a factor in determining ‘typical’ usage. Are they never predictable–or always authenticated at any location due to their unpredictable and scattered movements?