back to article Google to kill passwords on Android, replace 'em with 'trust scores'

Google is planning to use “trust scores” to kill off traditional passwords on Android. The internet giant wants to get rid of password logins, at least for Android apps, by 2017. Google outlined its plans at its I/O conference last week. Google's Trust API technology would use a variety of metrics to create a trust score. …

  1. jb99

    Question

    How did it get to April 1st so quickly. I assume this is a wind-up?

    1. BasicChimpTheory

      Re: Question

      I can ony upvote once so: +one bajillionty.

    2. Magnus Ramage

      Re: Question

      Had the same thought and I genuinely had to check the date when I read this.

  2. Lord Schwindratzheim
    Big Brother

    Sooo...

    "Factors such as typing speed, vocal inflexions, facial recognition and proximity to familiar Bluetooth devices and Wi-Fi hotspots would be used to calculate the score"

    So, for this to work, some or all of these factors have to be enabled. Naturally the increasing data slurp is just a coincidence...

    1. NotBob

      Re: Sooo...

      Still wondering how that will work since I generally don't use bluetooth, have the camera off or obscured (or broken, but that was an accident), and often turn the wifi off when not using it. The GPS isn't on either, and I don't type that much that often to allow for sampling that.

      Perhaps my phone will decide I don't exist.

      1. Anonymous Coward
        Anonymous Coward

        Re: Sooo...

        I'm sure there will be a stone-age mode for people like you.

        1. Phil O'Sophical Silver badge

          Re: Sooo...

          I'm sure there will be a stone-age mode for people like you.

          What's stone-age about saving battery power for calls, and not wasting it on wifi when I'm nowhere near a wifi access point, or GPS when I know perfectly well where I am?

          1. anonymous boring coward Silver badge

            Re: Sooo...

            Don't you know?

            It's stone age to do any kind of management of "your own" (you payed for it, but that's about it) device on your own.

            You are supposed to leave it all to someone else.

            You are just a serf. A poor User. A tool for someone else.

        2. This post has been deleted by its author

        3. not.known@this.address

          Re: Sooo...

          Not everybody sees Technology as a god to be worshipped at every opportunity. Technology is an enabler, not the result.

          You do know there is a real world beyond the edge of your screen, yes? Maybe 'Golden Age' rather than Stone Age - the Golden Age where people actually spoke to other real, live people and not just tapped a keypad in some filthy little bedsit somewhere (see, I can generalise and be rude too. But I'm not hiding behind the Anonymous Coward shield...).

          Given the choice between the chance that some scumbag might bother trying to crack my password or allowing Google to force me to tell them where I am and what I'm doing all the time, I will stick with the password every gorram time.

      2. Zilla

        Re: Sooo...

        Then obviously it will fall back until it can authenticate you. If that means asking you for a password then I imagine it will.

        1. Dan 55 Silver badge
          Meh

          Re: Sooo...

          Then you (or anyone) can swipe down and turn off wifi/bluetooth/location and get a password prompt.

          Oh dear, you (or anyone) forgot the password. Now it's asking what is your favourite colour is.

      3. Anonymous Coward
        Joke

        Perhaps my phone will decide I don't exist.

        Then Google autonomous car won't avoid you.

      4. BasicChimpTheory

        Re: Sooo...

        @Not Bob

        Nailed it.

        Currently looking at "feature" phones/developing a deep understanding of AOSP* so that I can deliberately facilitate your last sentence for myself. It does merit consideration if this is a good idea in the long run however (data-boot proximity to facial regions being eternal and all...)

        *that make file is pretty intimidating for a nOOb.

      5. Warm Braw

        Re: Sooo...

        >Perhaps my phone will decide I don't exist

        Even if it admits to your existence, what precisely is the point of a mobile device that checks you're in a familiar location? I have proper computers in the places I find myself most frequently: Android is for the random places the Cat 5 doesn't stretch.

      6. energystar
        IT Angle

        Re: Sooo...

        "...I generally don't use bluetooth..."

        You? Or your phone? Come on!

      7. Inventor of the Marmite Laser Silver badge

        Re: Sooo...

        Wot Not Bob said +several bajillion

    2. Dabooka

      Re: Sooo...

      @Lord Schwindratzheim

      Funnily enough, that was my immidiate thought too; I don't wnat to have Bluetooth and wireless on all of the time. Even my location services is set to off, why do I want to turn that lot on to use an app?

      1. Bakana

        Re: Sooo...

        Add me to that list.

        I keep mi phone in Ultra power saving mode 98% of the time because, Hey, it's a Phone and that's what it works as in that mode.

        The only time I take it Out of that mode is when I'm using it as a Music player in my car.

        And all That music is on the MicroSD Chip inside the phone.

        I'd add the Music player to the apps that are allowed to be On in power saving mode, but there doesn't appear to be any way to do that. It's one of the apps that Google has decided, in their "Wisdom" needs internet Access even though I never download music to the phone from the internet. I purchased the CDs instead.

      2. BongoJoe

        Re: Sooo...

        I am still living in my motorhome, travelling around the UK.

        The wifi hotpots vary wildly day to day. And depending which dongle I have running at any one time due to monthly data limits, all of the wifi I see today may be utterly different to what I see tomorrow.

        This won't work here for sure.

    3. Dan 55 Silver badge

      Re: Sooo...

      Would this need Google to come round and fit some plumbing at the bank's end?

      Luckily this nonsense won't affect my banking apps because I don't use 'em either. Mobile website using browser is more secure, mainly because banking apps don't know how to check TLS certificates.

    4. Anonymous Coward
      Anonymous Coward

      Re: Sooo...

      Exactly my thoughts.

      "We see you are not using your mobile Banking App for YXZ Bank. Perhaps a new account at ABC Bank would be of interest to you?"

      Personally, what apps/web-pages I access etc I run on MY device is of no business to the likes of Google.

      IMHO this is just to get even more intersting fact on their userbase so that they can monetize it (and you for that matter).

  3. TeeCee Gold badge

    To paraphrase:

    Biometric authentication.....blah blah data mining....blah blah advertising.......blah blah monitoring...............oh............yes.............wait.............it does some security stuff too.

    Nice to see my rather jaundiced opinion of Google's real priorities reinforced.

  4. Peter 26

    The end of passwords?

    Before you all go mad, just remember, if you're bothered I am sure there will be a way to use higher security.

    I don't really see how this gets rid of passwords though? Surely it is just a better lock screen.

    I think it's a good idea, currently I have my phone unlocked longer than I really should security wise. I have Google Authenticator on it and Android Pay which I really wouldn't want anyone using for nefarious reasons. So it's slightly better than no security.

    1. m0rt

      Re: The end of passwords?

      "Before you all go mad, just remember, if you're bothered I am sure there will be a way to use higher security."

      Stop using android would be a start.

      Though I can't think of any replacements right now, since BBOS is no longer being developed.

    2. tony72

      Re: The end of passwords?

      @ Peter 26

      Before you all go mad, [...]

      Too late, the predictable knee-jerk ranting has begun.

      Personally, if my phone can reliably determine that I'm me without me having to faff about entering passwords, I'm all for it. Whether the technology ends up being up to snuff is another matter, but I'll hold fire until I know more about how and how well it actually works (crazy, huh).

      1. DuncanL

        Re: The end of passwords?

        @tony72

        Don't go bringing sense and reason to internet comment forums, you loon!

      2. Zilla
        FAIL

        Re: The end of passwords?

        I used to find the comments on The Register to be highly entertaining and or insightful.

        Seems to have regressed to a state of mostly unintelligible criticisms of technological progress.

        But but what If I don't have bluetooth? What if I'm in a foreign country? What if I lose my thumb and can't use my thumbprint scanner? What if I have a face transplant and it doesn't recognise me? What if I want to set a password?

        I wouldn't even mind but it's almost always said by people who massively overestimate their own knowledge and experience. Presumably earned from years supporting users.

        1. Notas Badoff

          Re: The end of passwords?

          "I wouldn't even mind but it's almost always said by people who massively overestimate their own knowledge and experience. Presumably earned from years supporting users."

          @Zilla ! Oh thank you. That is the perfect description of a lot of people. And not necessarily from the tech sphere. After interacting with a few dozen 'normal' people in a day, most everyone comes away with undeservingly inflated egos.

        2. Anonymous Coward
          Anonymous Coward

          Re: The end of passwords?

          @Zilla - that depends on your definition of progress, now, doesn't it? If your definition of progress is every last little new thing that Google flings at you, then yes, I'm amongst the cave-dwellers, as I prefer to use my critical faculties to decide whether what companies want me to use is up to scratch or not.

          If, however, your definition of progress is the introduction of new technologies that are likely to work well and make life better, then I'm not a cave-dweller - but I will say no to stuff that's thrown our way that has clear drawbacks and possible dire consequences if/when it fails.

          For me though, the point of failure is Android itself. No, actually, cancel that; it's the modern 'smartphone', but Android just appears to be the worst (due to insecurity) of the OS's on offer.

          Personally, I've no intention of paying desktop PC prices for something insecure which I've little control over that's sold filled with crapware I've no interest in, and which can't be removed. Hence no smartphones for me. A dumb phone plus a Psion II would suit my needs far better than any current smartphone (and would probably be cheaper too, if they still made P-II's).

        3. not.known@this.address

          Re: The end of passwords?

          I have no issue with technological progress where it improves my life and is not intended solely to allow Google or any other money-grabbing bunch of snooping businessmen to spy on me.

          I value my privacy and do not want to walk through some shopping mall where all the adverts address me by name and base what they show on the websites I visit (how many flight simulator programs are there for PCs now, and what the hell would they show me based on the content on El Reg??).

          Zilla, did it ever occur to you that its because some people have supported users for years that they no longer think technology is such a great idea? What happens if someone takes over at (insert Supplier name here) and tells you they want you to give them half your yearly earnings or they cut your services off? What are you going to do when you suffer a power cut and you can't speak to anyone or go anywhere cos your fantastic robohome has gone into secure lockdown mode until the power comes back?

          Perhaps you would share your own knowledge and experience so we can see how massively we have overestimated our own...?

      3. Anonymous Coward
        Anonymous Coward

        if my phone can reliably determine that I'm me..

        ... without sending all uinique IDs about me it can retrieve to Google et al.,, I'm all for it.

        Hoping those unique IDs can't be retrieved from a stolen device or remote storage and used to impersonate me.

      4. Anonymous Coward
        Pint

        Re: The end of passwords?

        "if my phone can reliably determine that I'm me..."

        There are occasions when I can't reliably determine that I'm me - especially after beer o'clock...

        1. energystar
          Terminator

          Re: The end of passwords?

          '...when I can't reliably determine that I'm me...'

          Then suspecting of being 'contained', or worst, 'incepted'.

      5. Halcin

        Re: The end of passwords?

        Personally, if my phone can reliably determine that I'm me without me having to faff about entering passwords

        Problem 1: it's not your phone. You have bought permission to use the device at the discretion of Google/device manufacturer.

        Problem 2: It's not the phone that is determining it's you. The authentication will be performed in some anonymous data centre using data which is out of your direct control.

        1. Alumoi Silver badge

          Re: The end of passwords?

          @Halcin

          It IS my phone. The second I got home from the shop I rooted it, installed a custom AOSP, wiped out the crap (yes, custom builds still have crap nobody uses) and restored my contacts from file.

      6. kwhitefoot

        Re: The end of passwords?

        "me" is not a single value concept. I have several online me s and I want them to remain separate but if Android logs me in always as the physical me that isn't going to work very well.

    3. Naselus

      Re: The end of passwords?

      "I don't really see how this gets rid of passwords though? Surely it is just a better lock screen."

      They cease to be necessary because your phone will use it's own 'awareness' to determine who's using it and allow only you to access your stuff. No need to provide a password, which exists purely for the exact same purpose.

      So, say you want to access your mobile banking app. The phone checks a variety of things to make an assessment of whether it believes you are you. I it's convinced enough that you are, it lets you access your account. If not, it says 'no, I don't think you're you, sorry' and just gives you access to non-harmful stuff like Angry Birds.

      I'm willing to bet the first thing this does is renders all Android phones (Aside from 2-3 £800 flagship models) unusable.

  5. Keep Refrigerated
    Childcatcher

    Lost in a foreign country....

    Then you're screwed.

    How is this going to work for business travelers, who may need urgent access to their accounts in the event of travel plans getting screwed up?

    1. Dabooka

      Re: Lost in a foreign country....

      Well not really, I doubt they're suggesting that you must be in range of your car / home stereo / work wifi for this to work, I'm sure you'll just be told to authenticate some other way. Possibly by password.

      1. Halcin

        Re: Lost in a foreign country....

        Google email throws a hissy-fit every time it thinks I'm in a different location. And if it demands a password then it defeats the whole "extra convenience" this idea is supposed to provide. And that makes the situation even worse, because it's now demanding that you remember a password you have not used in six months.

    2. Dave 126

      Re: Lost in a foreign country....

      Just as it would work for people who have an elastoplast on the thumb they use for their fingerprint scanner - they enter their passphrase instead.

      There is even precedent - it is not unknown for a card issuer to telephone a card holder if the card is used in unusual circumstances, to request further authentication beyond the card and PIN themselves.

      (Though of course you should not give any information in those circumstances, but instead ring off, ring a trusted party such as a friend, ring off and then ring the number on your card or bank statement. The idea of ringing a friend is to make sure than any would-be spoofer hasn't kept your line busy - this has been known to happen on UK landlines, I don't know if it applies to mobile phones )

    3. 's water music

      Re: Lost in a foreign country....

      How is this going to work for business travelers, who may need urgent access to their accounts in the event of travel plans getting screwed up?

      Just do what my friends do and email all your contacts to explain the situation and ask them to wire some funds via Western Union. I never seem to get much thanks though.

      1. Charles 9

        Re: Lost in a foreign country....

        You're halfway around the world. They're ASLEEP, they don't answer the phone, and you're on a deadline...

      2. bep

        Re: Lost in a foreign country....

        Um, you can't get access to your phone, because it doesn't think it's you, because you are in 'foreign'. So you better hope there is one of those old-fashioned internet cafes nearby, or you're boned.

        This 'idea' has Catch 22 written all over it. I especially loved the part from the quoted 'expert': "gaining data and insight about their customers," Yep, that's what it's all about alright.

  6. DerekCurrie
    Angel

    OOTM: Out Of Their Minds

    *popping popcorn* This should be good...

  7. Anonymous Coward
    Anonymous Coward

    Capital plan, Baldrick !

    It would instantly do away with all those pesky password issues on locked phones because, well, of course Scroogle itself would be a 'Trusted Source'. Trusted by themselves, obviously !

  8. Chris G

    Incredible

    Just how much utter crap apparently intelligent people can spout or even think.of.

    This is how long is a piece of string security so not so much security as an excuse to suck more data about you.

    Currently most of the criteria the article talks about is unavailable from my phone by my choice.

  9. Anonymous Coward
    Anonymous Coward

    Too stupid for security

    That's fine. Security isn't for everyone.

    However biometrics are the username, not the shared secret. Hollywood movies messed up everyone's expectations in this regard.

    1. Charles 9

      Re: Too stupid for security

      But what if biometrics is ALL YOU HAVE?

      1. energystar
        Windows

        Re: Too stupid for security

        Think of the elder, think of you on stressful situations... This is a good development.

        As far as privacy goes, nothing changes -except a little more disclosure-.

    2. DropBear
      Trollface

      Re: Too stupid for security

      "Hollywood movies messed up everyone's expectations in this regard."

      Nonsense. If anything, the historical documents movies have thought us that the only absolutely reliable way to confirm a questionable identity is by kissing. I anxiously await the day when machines get equipped with _all_ the appropriate hardware interfaces for a thoroughly exhaustive identification of that nature - I insist securing my bed to the highest standard...

  10. PJ H

    Once again...

    ... we're expected to use things that can't be changed as passwords.

    Biometrics used as passwords are, in general, a bad idea. They're not secret, they're not revocable and they're not precise.

    1. Charles 9

      Re: Once again...

      But for many people that's ALL THEY HAVE. So they're all you have to work with. If you say that's not acceptable, then you're saying these people CAN'T be secure and that they're a lost cause. Sounds like you need another idea that doesn't rely on memories or things that may not be present.

    2. This post has been deleted by its author

    3. energystar
      Gimp

      Re: Once again...

      My knowledge of everybody I think I know is imprecise. But trusting it more than any key, ID or $20 bill between their thumb and palm.

      1. energystar
        Gimp

        Re: Once again...

        Those 3 things are made very precisely.

    4. energystar
      Gimp

      Re: Once again...

      As for revocability, thanks but no. Up to me.

      As for passwords, they should be secret. Identity shouldn't.

      1. PJ H

        Re: Once again...

        "As for revocability, thanks but no. Up to me."

        That latter is exactly what it does mean. As in "You should be able to revoke the current authentication and replace it with another." i.e. changing your password.

        What it doesn't mean is someone else can do it for you, which is what I think you took it to mean..

        1. energystar
          Holmes

          Re: Once again...

          Done all the time. By revoking certificates. Try 'changing your password' after that...

  11. Anonymous South African Coward Bronze badge

    Time to move away from Android to something else then?

    1. JimmyPage Silver badge
      FAIL

      Time to move away from Android to something else then?

      Let us know when you've written it then.

      Because that's the only way it'll happen.

      1. Daniel B.

        Re: Time to move away from Android to something else then?

        iOS, Sailfish, BB10...

        1. Charles 9

          Re: Time to move away from Android to something else then?

          Apple's no better in the privacy department, BB10's being dropped, and Sailfish is Not Ready For Prime Time.

    2. energystar
      Windows

      We can start with a pair of empty cans and thread...

      1. Simon Westerby 1

        You could call it "CANDroid" ...

  12. Queeg
    WTF?

    You can have...

    You can have my password when you tear it from my cold, dead ......

    Hang on a sec

    Now that's just not playing fair.

  13. ChubbyBehemoth

    Great for accident situations!

    There you are, finally got your smarter than good for you phone out of your pocket with your non-broken arm and the things doesn't recognise your slur, bloated face and bloodshot eyes. However, you can still play candy crush while bleeding to death,.. hooray!

    1. energystar
      Pint

      Re: Great for accident situations!

      Of course! You can have your password as backup [I think?].

    2. energystar
      Alien

      Re: Great for accident situations!

      But your phone will know you crashed! And send your GPS crossings to Emergency Services. [Have you blogged something bad about Alphabet lately?].

      1. Anonymous Coward
        Anonymous Coward

        Re: Great for accident situations!

        How will the phone know the difference between being in a car crash and being dropped? The G force would be similar. If it is tracking your instantaneous speed that's a pretty small line between "rear ended another car while going 30 mph" and "slammed on my brakes at 30 mph to avoid hitting another car".

        If I'm holding my phone in the passenger seat and the driver slams on the brakes, if I'm not holding the phone tightly enough it might fly forward and hit the windshield. Sure don't want it calling 911 because it thinks I was in an accident. The phone simply doesn't have enough information to do this reliably, and would waste the time of emergency services.

        1. DropBear
          Big Brother

          Re: Great for accident situations!

          Relax, citizen. Your phone has been in contact with you car's network and knows the airbags have deployed. The emergency services and the police have already been notified. Do not concern yourself with practical matters now, there's no need - detailed video, driver input and instrumentation data of the last minute preceding the crash is already being reviewed by your insurance company. Cars approaching your contorted wreck are automatically warned to avoid you. Based on the slowing pulse detected by your fitness clock/bracelet you're not long for this world, so right now your phone is tactfully inquiring whether you'd like it to call a loved one...

  14. Anonymous Coward
    Mushroom

    somebody's been really busy ...

    downvoting all the negative comments. This little observation leads me to the following question:

    Yo, Google! How many social media trolls do you employ as media analysts?

    Biometric Trust Score for unlocking your mobile phone/device/gizmo has got to be one of the dumbest ideas I've ever heard. Who's going to write that software? The same people who wrote Stagefright? Stagefright is the gift that keeps on giving. It still hasn't been fully mitigated.

    Just sayin'.

    1. energystar
      Childcatcher

      Re: somebody's been really busy ...

      "...Who's going to write that software?.."

      ;)

      So many DECADES in the game, still people who doesn't get THE difference between client and user.

  15. Robert Helpmann??
    Childcatcher

    Lack of Common Sense

    Says Richard Lack (I would hold this up as a case of nominative determinism and upon careful consideration of his comments, I will), “The future lies in methods of authentication without passwords, which consumers clearly favour, both in terms of convenience and enhanced security...” which really means they want technology that is sophisticated enough to be magic. consumers want to be able to have their phones, financials and abodes only open to themselves and those they allow without having to do anything or know anything. That last might make a good metric of customer acceptance. If you would trust access to your house to a given technology after being made to understand the risks, benefits and operation, then it is probably OK to use to protect access to your phone which in turn allows access to your bank, credit cards, et cetera.

    Mr Lack goes on to say, “Biometric authentication is a powerful enabler, allowing businesses smart enough to deploy it to significantly increase rates of registration, gaining data and insight about their customers, while also increasing customer security. This is a win/win scenario...” No, these are arguably mutually exclusive as the idea here is to allow the businesses in question to gather consumers' biometrics rather than to have a third party provider authenticate your identity based on your biometrics. A big win for big business, but not so much for individuals.

    1. Charles 9

      Re: Lack of Common Sense

      "which really means they want technology that is sophisticated enough to be magic. consumers want to be able to have their phones, financials and abodes only open to themselves and those they allow without having to do anything or know anything. That last might make a good metric of customer acceptance."

      That's pretty much what they want because for many people what they ARE is ALL THEY HAVE. They have poor memories so don't KNOW anything and all they HAVE is the phone so they don't have anything else to authenticate with.

  16. tiggity Silver badge

    disabled

    Lets see.

    Selfie camera - never used, generic protective case (not phone specific as from an old defunct phone, so not a perfect fit for current one but does job of protection) obscures the selfie lens anyway. So not explicitly disabled but useless.

    Bluetooth - off as never use it

    Wifi off - use phone data, do not want to have phone jump on dodgy wifi and be subject to MITM attacks etc.

    Location - off (may be transiently turned on for occasional specific reasons e.g. if out in middle of nowhere and want to get accurate coordinates to record position of something interesting e.g. a protected orchid species worth notifying the appropriate people about )

    So, they would be struggling to get any useful data, beyond typing speed to prove the phone user.

    Not that typing speed would be massively reliable, in the UK, using phone out and about, my typing speed varies a lot, e.g. in cold winter with gloves on (you can get gloves that allow phone use) typing a lot slower / more error prone. In rainy weather, typing more erratic as rain often gets on screen & screws up typing. My typing style probably only reliable if indoors and even then not if I'm distracted by chatting to someone whilst typing.

  17. JimmyPage Silver badge
    Stop

    Just curious ... how many commentards here

    have *actually* worked with anything other than username/password security ? Because there seems to be a lot of (being charitable) ignorant nonsense being spouted.

    First off, as an enthusiastic user of Google Authenticator (other 2FA solutions exist) I know immediately that losing my 2FA device (in this case my phone) isn't the end of the world, as Google allows you to pre-seed a set of 10 keys for such occasions.

    Similarly, when my 2FA key for work got broken (it's all very well them being supplied as "keys" but with the punishment most sets of keys get, failure is inevitable) it was the work of a phone call to have my account temporarily "de-2FAd" until they got a new one to me.

    For the supposed brightest and best of the IT world, a lot of commentards aren't half grumpy old sods.

    If you start (as I do) from the premise that the "classic" username+password authentication paradigm is broken, then you have to accept we need something new. It may - or may not - be what Google are cooking up. But at least they're trying.

    It's not just me that has decided classic authentication is broken, btw. Most UK banks do. Hence 2FA card readers.

    Incidentally, it seems Google are trying to clarify situations where *identification* is separate to *authentication*.

    1. Anonymous Coward
      Anonymous Coward

      Re: Just curious ... how many commentards here

      "For the supposed brightest and best of the IT world, a lot of commentards aren't half grumpy old sods."

      I have never been among the brightest and best of the IT world, though I am a grumpy old sod.

      But even I can see that a company full of PhDs may possibly have engaged a little more in the way of brain cells in the matter than people posting after a few minutes of consideration. Which is why my own instinctive reaction is "there could be problems with this but let's see how it works out in practice."

      1. paulll

        Re: Just curious ... how many commentards here

        You're presuming non-maleficence on the part of the PhD-types; No doubt they're good at what they do, but what they're doing is not what they're purporting to be doing.

    2. J Bourne
      Coat

      Re: Just curious ... how many commentards here

      "f you start (as I do) from the premise that the "classic" username+password authentication paradigm is broken"

      MMMmm, nope?

      1. Charles 9

        Re: Just curious ... how many commentards here

        MMM, YUP! Passwords and stuff stolen ALL THE TIME. Plus people have bad memories, too.

    3. Daniel B.

      Re: Just curious ... how many commentards here

      If you start (as I do) from the premise that the "classic" username+password authentication paradigm is broken, then you have to accept we need something new.

      It is, but that's an argument for 2FA, not for some mumbo jumbo voodoo crap replacing the password. There's already a workable solution for higher end smartphones: the fingerprint reader. And I still get the ability to use the password if I need to.

    4. LittleOldMe

      Re: Just curious ... how many commentards here

      Biometrics have 2 serious drawbacks

      1) They are easily defeated. Pictures can defeat face recognition, recordings can defeat voice recognition, images can defeat fingerprint recognition. It is not so hard to take a picture of someone else and be them.

      2) If you suspect your security has been compromised, you cannot change your face / voice / fingerprint.

      Passwords however cannot be forcibly extracted from your brain by any means short of torture. They are easily changed if you suspect a breach.

      Based on this I would say that the password paradigm is not broken. This does not mean passwords are perfect. Users pick stupid passwords, fall victim to phishing attacks etc. 2FA can help mitigate that risk to some extent, particularly for high value systems such as online banking. But 'something you know' is likely to remain the strongest element of any 2FA system. I for one am not ready to give up my password.

      The reason there is much interest in the industry is not because of improved security. But because it is something new and flashy that encourage users to replace kit and hence improve the market share of the company selling it. It may well be that the marketing departments try to sell it as 'better security '. But that would only be true for those users who use pas55w0rd everywhere and write that down on a post it note in case they forget. For those of us even remotely security aware, GOOD passwords are still the cornerstone for keeping the bad guys out.

      1. Charles 9

        Re: Just curious ... how many commentards here

        "Passwords however cannot be forcibly extracted from your brain by any means short of torture. They are easily changed if you suspect a breach."

        Unless you're TRICKED, and the trickster changes the password ahead of you to block you regaining control...

        1. LittleOldMe

          Re: Just curious ... how many commentards here

          And how would Biometrics fix that problem? How is that better?

          If you have been locked out from your account by the bad guys, then it is time for a talk to your IT administrator.

      2. Charles 9

        Re: Just curious ... how many commentards here

        "But 'something you know' is likely to remain the strongest element of any 2FA system. I for one am not ready to give up my password."

        But what about all those people with bad memories for whom "something they KNOW" is likely not an option? That's the big bug-a-boo about passwords: it relies on something that for many people is very finicky and at plenty of times may not be reliable enough.

  18. J Bourne

    Just when you might need it the most....

    Just don't get your hair cut, go on holiday and get a tan in a strange land and then catch a sore throat from overdoing the Karaoke the night before.... And then have the rental car break down at night in the hills.... Just sayin like.

    1. energystar

      Re: Just when you might need it the most....

      Then use your password [that one inside your stolen wallet]. Take care, storm, lightings.

      1. energystar
        Pint

        Re: Just when you might need it the most....

        Oops! almost forgot. Not here for the points. Take care of your Carpal tunnel syndrome.

  19. Florida1920
    Alert

    Superman would agree

    Bring back the bloody phone booth.

  20. Grunchy Silver badge

    Preferred by consumers certainly, but is this preferred by identity theft victims?

    Let's put this technology on the front door of your house, and more to the point, do so without your authorization or input or with any regard to what you may think. So now, depending on how fast someone may type, what they look like, what their voice sounds like, your front door may accidentally determine some drunk bloke careening down the lane is authorized to come ramble around your flat at 2 am on Tuesday. Irrespective of what keys may reside on whoever's keychain.

    Surprise!

    1. Charles 9

      So you're saying there's a passing fair chance someone who could be a person's identical twin down to voice, speech, and motion mannerisms can pass for you on a given night? I'd like to see the actual odds of this...

      1. Mephistro

        @ Charles 9

        "someone who could be a person's identical twin down to voice, speech, and motion mannerisms can pass for you on a given night?"

        It all depends on how tight are the tolerances for the biometric measurements. My bet is that said tolerances won't be tight at all, due to things like ambient noise, variable light levels & light colour, hairdos and dyes, glasses and sunshades, ...

        If that's the case, probably any chap superficially resembling you and able to modulate his voice to more or less sound like yours may be able to unlock your phone.

    2. energystar
      Big Brother

      Trust THIS technology a lot more than dual keys of 'Trusted' Authorities.

  21. J 3
    Mushroom

    Very hard to imagine scenario

    Except for the facial recognition part, how would the following, very unlikely (not) scenario play out?

    Your phone is there, sitting on the coffee table at home. So it is near all the Wifi, Bluetooth whatevers you have. It is connected to a known network, of course. Location says it is home, obviously.

    Then your 6-year old comes along and decides to play with your phone... What could go wrong?

    Or worse, someone mad at you comes along and finds the phone... With malicious intent. Could a photograph of you fool the facial recognition, by the way, or is that already solved?

    Would the typing pattern criterion take care of this? How? Would we have to provide typing samples every time to authenticate? Sounds very practical (not).

    Edit: forgot about the voice recognition thing, too. So this scheme would have to use everything to be secure? Well, we'll see how this works in real life (because in marketing land it will always be rainbows and unicorns).

  22. sysconfig

    Trust score of zero

    That's what Google has on my personal trust score rating. I'm quite happy for them to share the same sentiment about me. Call me old fashioned, but convenience is not more important than security/privacy. I'll choose complex passwords or (better) multi-factor authentication over biometric and telemetry slurp any time, thank you.

  23. energystar
    Windows

    Welcoming a more open Alphabet...

    Welcoming a more open Alphabet about their TRUE capacities. On this opening they bring new MUCH SMARTER services to their USERS.

  24. energystar
    Big Brother

    "...This implies that a device could be unlocked to apps even with a low score, which provides an avenue for more privilege exploitation attacks..."

    Should disagree at this one with you, John Leyden. Trust scores are based on cumulative knowledge -just as human trust is slowly build-.

    1. Anonymous Coward
      Anonymous Coward

      That isn't questioning the integrity of the trust score, it's saying privilege escalation vulnerabilities are a possiblility and if they exist, the device is only as secure as the weakest app (the app with the lowest required trust score).

      Once access to that app has been gained, privilege escalation could be used to gain access to sensitive enough areas to the disable protection on the higher trust score apps.

      1. energystar
        Paris Hilton

        '...the app with the lowest required trust score...'? Passwords are yes or no, Ok. And -as far as I understand- Trust scores can be set so, also.

      2. DropBear

        "That isn't questioning the integrity of the trust score..."

        I fear you might unwittingly be arguing with Microsoft's latest teenage-level AI...

  25. energystar
    Angel

    Yahoo! KNEW I had a new cellphone... At some point They asked me: Is this cellphone also yours? Just to add to our private profile... Before giving me access to my mail.

    Of course! Told them. Thanks! They told me...

    1. energystar
      Devil

      A 'burn'? phone...

  26. Anonymous Coward
    FAIL

    On the shoulders of giants

    This sounds quite similar to the credit card industry's fraud detection systems. Ought to work about as well too.

  27. energystar
    Coffee/keyboard

    Too many baby vultures flying around this article...

    Should be a little more moderate at my looniness.

  28. YARR
    Black Helicopters

    Where is this all headed?

    The internet giant wants to get rid of password logins...

    Games and basic tools would be run even if only a low trust score was achieved

    Can't people see their masterplan is to de-personalise your mobile device and transition to Android-in-the-cloud? They want you to be able to use any Android device to log-in to your Android-cloud session with private cloud apps tied to your ID, but local device Apps shared to anyone. The strategy is to bind users to Android so it becomes socially-awkward to switch to a different platform, particularly one with better security.

  29. Anonymous Coward
    Anonymous Coward

    What can possibly go wrong...??? - This is where we are right now…

    http://www.rte.ie/news/2016/0524/790608-terms-and-conditions-readathon/

    "A Norwegian consumer group has begun a marathon live "readathon" in an attempt to highlight the unrealistically lengthy terms of service and privacy policies that people must sign up to when using apps on an average smartphone. The current state of terms and conditions for digital services is bordering on the absurd,"

  30. Anonymous Coward
    Anonymous Coward

    "Why smartphones don't add up to an industrial revolution"

    "over the past two decades the world has been innovating less"

    http://www.bbc.co.uk/news/36342723

    You can believe that or you can listen to some corporate lackey (Lack??? 'Even your name is a dime-store joke')... The type whose always claiming we want more of this.. If this is the future then get me off this f'ing planet...

    “The future lies in methods of authentication without passwords, which consumers clearly favour, both in terms of convenience and enhanced security,” Lack commented. “Biometric authentication is a powerful enabler, allowing businesses smart enough to deploy it to significantly increase rates of registration, gaining data and insight about their customers, while also increasing customer security. This is a win/win scenario which sounds the death-knell for awkward and insecure passwords sooner than we may imagine.”

  31. 9Rune5

    "privilege escalation attacks"

    The article runs that phrase as its byline.

    But what exactly does it mean?

    Someone tricks me into installing an app that somehow manages to escalate its privilege level and then when that someone "borrows" my phone the app will let him/her gain access to everything?

    How is that any different from the system in place now? Once you have installed malware all bets are off, regardless of you locking the front door or not. The two are hardly related.

    Or is the thinking here that through some secret menu the guest user will be able to unlock everything?

    1. energystar
      Joke

      Re: "privilege escalation attacks"

      Nobody is going to answer you, of course. Freshness [an price] is down.

    2. energystar
      IT Angle

      Re: "privilege escalation attacks"

      The wrong thinking here is that once scalable authentication is used, scalable access is going to be provided [seems to suggest about both the platform and installed apps].

  32. Anonymous Coward
    Anonymous Coward

    Biometrics

    "Biometric authentication is a powerful enabler, allowing businesses smart enough to deploy it to significantly increase rates of registration, gaining data and insight about their customers, while also increasing customer security"

    ...if you find you've been hacked, you can change your passwords. You cannot change your fingerprints + eye colour.

    http://www.theregister.co.uk/2014/09/23/iphone_6_still_vulnerable_to_touchid_fingerprint_hack/

    I also don't imagine its too hard to trick a device into doing things via a remote malware-installed connection, while the device thinks its in 'trusted' surroundings.

    1. Charles 9

      Re: Biometrics

      But for people with bad memories, passwords are not an option. At least, normally, you can't lose your fingers...

      1. Anonymous Coward
        Anonymous Coward

        Re: Biometrics

        "At least, normally, you can't lose your fingers."

        Only because nobody needs your fingers right now. Once your fingers are the keys to your bank account, criminals will become a lot more interested in them.

        I'd much rather lose a password than a digit.

  33. John 104

    Biometric authentication is a powerful enabler, allowing businesses smart enough to deploy it to significantly increase rates of registration, gaining data and insight about their customers, while also increasing customer security

    1st, increase registration.

    2nd Gain Data

    3rd Track usage

    4th Oh yeah, security.

    What a bunch of horse shit.

    Not to mention, here in the US your bio metrics can be subpoenaed by court order to make you unlock your phone. Your PIN, however, is exempt.

    1. Anonymous Coward
      Anonymous Coward

      1. Collect underpants

      2. ?

      3. Security!

  34. smartypants

    All this anger...

    Authentication is a concern of ordinary people these days, and passwords don't work, as every single unauthorised data release of password choices demonstrates.

    Those of us with painstakingly-thought-through password strategies are pretty irrelevant. We're the tiny minority. And we're probably even the minority of IT people in charge of systems that are supposedly 'secure', given some of the hilarious failures in IT departments of well known brands over the years.

    So downvote all you like. Passwords had their chance, and they failed.

    1. energystar
      Angel

      Re: All this anger...

      Every system I deployed with carefully selected , carefully annotated at hard notebooks. A pile of them. Beauty ;)

      Just a week vacation and a replacement, and a boot blasting of passwords, and a SINGLE master key installed, everywhere. Even more Beautiful :)

  35. Anonymous Coward
    Anonymous Coward

    How can this possibly work?

    I am using my phone and it is sure I am me. I put it down for a minute and go the bathroom. Someone else picks it up. How can it recalculate a trust score based on stuff like typing speed etc. immediately after someone else has grabbed it. Unless they point the camera towards their face, how is it going to know it wasn't me picking it up again.

    This is stupid, Google is just looking for an excuse to collect ever more invasive data on you. Glad I won't have to deal with this latest data grab!

    1. Charles 9

      Re: How can this possibly work?

      Turn it OFF before you go to the bathroom and it engages the lockscreen. Bet you have to prove yourself again before it'll unlock, and that can be done quickly enough. And yes, they can use the camera.

      1. Anonymous Coward
        Anonymous Coward

        Re: How can this possibly work?

        If you have to do the normal unlock stuff to unlock it, what's the point of this? Is it to figure out if someone else is handling your phone after you already unlocked it? Unless you leave it laying around all the time, generally when someone else is handling your phone it is because you want them to look at something, it would be counterproductive if it decided to switch off because it figured that out.

        Still think the idea is stupid, and even stupider if the normal methods of unlocking are still required. I thought the whole point was that this would bypass the need for stuff like passwords, fingerprints, etc. If not, then what good is it? (Not that it is going to be all that good at the other, either)

    2. energystar
      Paris Hilton

      Re: How can this possibly work?

      Who says They weren't? Who says Everyone isn't?

      1. energystar
        Windows

        Re: How can this possibly work?

        No doubt they'll give the option to keep as always. But better your privacy [in between you and Google] if not.

  36. raving angry loony

    Oh yeah, I can't see any problems with that.

    Great, so I'm travelling, I get the flu, and suddenly my phone doesn't work because my hands are shaking and my voice is screwed up.

    No drawbacks to that particular plan, none at all.

  37. Steve Knox

    Typo?

    “The future lies in methods of authentication without passwords, which consumers clearly favour, both in terms of convenience and enhanced security,” Lack commented.

    s/b

    “The future lies in methods of authentication without passwords, which consumers clearly favour, both in terms of convenience and enhanced security lack", he commented.

    ?

    1. energystar

      Re: Typo?

      Well, ;)

  38. Matthew 26
    FAIL

    So, If I Break My Wrist

    I lose access to my phone for 6 weeks because I have to type in text one handed?

    Bloody brilliant.

    1. Anonymous Coward
      Anonymous Coward

      Re: So, If I Break My Wrist

      Don't you type text in one-handed ANYWAY since your other hand's typically HOLDING the phone?

  39. Anonymous Coward
    Anonymous Coward

    Leaky apps, always on slurping, now this, what's not to like...?

    Was using HTC smartphones for a decade but they both died (XDA IIs / XDA IIi thank you for your loyal service)...

    Now I've gone back in time and am using two very simple phones, just Samsung GT E1200, (like something from a decade ago).

    I 'do' internet via desktop Linux only.

    The risk / reward otherwise just isn't worth it... Plus when you don't share airwaves you don't have a watered down 'limited unlimited' connection. Bad deal for users, great deal for telcos!

  40. john devoy

    seems a bit suspect

    So they're going to build trust scores partly built by monitoring your surroundings, sounds like a back door way of having people track themselves, saving Google the hassle.

    1. energystar
      Paris Hilton

      Re: seems a bit suspect

      ??? What's different from before, Industry wide speaking?

    2. energystar
      Devil

      Re: seems a bit suspect

      Even the sound of your real back door at home should have a 'signal signature'

    3. energystar
      Linux

      Re: seems a bit suspect

      Not asking for a password, simply because -in reality [my aluminum foil hat reality]- the Industry doesn't need you to type ANYTHING to know you are you.

  41. Anonymous Coward
    Anonymous Coward

    Android already lets me set up safe zones using location or proximity information so I don't have to put my unlock password in while connected to my car's bluetooth, or my home's wifi. This seems like an extension of that thought process.

    I am just glad I don't work on a telco helpdesk. You can't log in Sir? Please take off your sunglasses so the phone can get a good look at you. No.. ok, are you swiping through the menus faster than normal? Well you can't do that, yes I know it's hard when you're frustrated but you have to calm down or the phone won't recognise you..

  42. Jin

    False Rejection Vs False Acceptance

    False acceptance must be zero or very close to zero. Then false rejection necessarily occurs. Falsely rejected users must be rescued somehow. In cyber space, the users have to rescue themselves if they are not ready to accept the denial of access. They need a password for fallback. Passwords will never be allowed to go away.

    The following video explains how biomerics with a fallback password makes a backdoor to password-protected information.

    https://youtu.be/5e2oHZccMe4

    1. Charles 9

      Re: False Rejection Vs False Acceptance

      Well, what alternatives are there for people with really bad memories, which are a significant segment of the population?

      1. CheeseTriangles
        Happy

        Re: False Rejection Vs False Acceptance

        Password manager?

        Strong password (maybe created with diceware?) for password manager access.

        1. Charles 9

          Re: False Rejection Vs False Acceptance

          Communal computer so can't trust it? Memory SO bad they can't remember even the ONE strong password (because they can't even remember their birthday)?

  43. teebie

    "Factors such as typing speed, vocal inflexions, facial recognition"

    So if I get gurning drunk I can't send text messages or call people?

    Yeah, I can live with that.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like