Nix the pass­word: Google tests lo­gin via phone

Pit­falls re­main in search for se­cure, hack-proof and con­ve­nient way to ac­cess on­line ac­counts

The Hamilton Spectator - - BUSINESS - AN­DREA PETER­SON Wash­ing­ton Post

Google is test­ing out a new way to sign into their ser­vices — and it nixes one of the most an­noy­ing se­cu­rity mea­sures out there: pass­words. The tech gi­ant is try­ing out a fea­ture that lets some users con­firm their iden­tity just by us­ing their smart­phones.

The move is not only just the lat­est sign that the tech in­dus­try is try­ing to get users away from pass­words, but it’s also the lat­est sign that com­pa­nies still aren’t quite sure how to re­place them yet.

Pass­words are al­most im­pos­si­ble to es­cape right now, but keep­ing track of the dozens you need just to nav­i­gate your daily on­line life can be mad­den­ing.

And they’re also al­most uni­ver­sally hated: Cre­at­ing strong, unique pass­words can feel like pulling teeth and reusing them can leave you vul­ner­a­ble when a ser­vice you rely on gets breached. More­over, data from those al­most in­evitable breaches shows that peo­ple keep stick­ing to such ridicu­lously easy to guess pass­words as “123456” or, well, “pass­word.”

“Right now it’s rel­a­tively con­ve­nient to have a sim­ple pass­word,” said Al­varo Be­doya, the ex­ec­u­tive di­rec­tor of Ge­orge­town Law’s Cen­ter on Pri­vacy & Tech­nol­ogy. “But as hacks in­crease and breaches pro­lif­er­ate, peo­ple are start­ing to re­al­ize that also may be dan­ger­ous.”

Many big sites and ser­vices now of­fer two-fac­tor au­then­ti­ca­tion — an added layer of pro­tec­tion that of­ten works by making you en­ter a code that’s de­liv­ered to your phone via text mes­sages or an app.

Google’s new test seems to be a lot like just tak­ing the pass­word part out of this com­mon two-fac­tor equa­tion — and it ap­pears to be very sim­i­lar to a sys­tem Ya­hoo launched for its mail app users ear­lier this year.

The sys­tem is pretty straight­for­ward, ac­cord­ing to a Red­dit post from user rp1226 that ap­pears to have first brought the test to light. “You au­tho­rize your phone to al­low you to log in to your ac­count. You go into a com­puter and type in your email. Then you get a mes­sage on your phone to al­low the lo­gin. If you hit yes, the com­puter logs into your Google ac­count with­out a pass­word,” he wrote.

The test works for both An­droid and iOS de­vices and users can still use their pass­word to lo­gin as nor­mal if they don’t have their phone handy. If you lose your phone, the de­vice’s lock screen should pro­tect your ac­counts from fall­ing into the wrong hands, and you can re­voke ac­cess to the fea­ture from a de­vice at any time, ac­cord­ing to a copy of doc­u­men­ta­tion ac­com­pa­ny­ing the test posted by the Red­dit user.

But there are some pit­falls to the phone-only ap­proach: If some­one is able to ac­cess your phone while it’s un­locked, they could po­ten­tially log in to your ac­count. (Al­though, pre­sum­ably, if they have your un­locked phone they’ve al­ready got­ten to a trea­sure trove of your per­sonal data that prob­a­bly in­cludes your in­box.)

An­other boom­ing pass­word al­ter­na­tive is bio­met­rics, which use phys­i­cal char­ac­ter­is­tics like your fin­ger­prints to prove who you are.

Finger­print scan­ning is al­ready hap­pen­ing with newer iPhones around the world and in some work­places. The method can be ap­peal­ing be­cause, un­like pass­words, you aren’t really able to forget your fin­ger­prints.

But that’s also a po­ten­tial prob­lem: Your fin­ger­prints are per­ma­nent, so they can’t be changed even if, say, they are among a mas­sive trove of prints com­pro­mised by a hack at a ma­jor gov­ern­ment agency.

And un­like pass­words, they aren’t se­crets: You leave them on a lot of things you touch and some re­search has even sug­gested fakes good enough to fool some sys­tems can be made from high res­o­lu­tion pho­tos of your hands.

Be­doya says peo­ple and com­pa­nies should think care­fully be­fore re­ly­ing solely on any one type of au­then­ti­ca­tion be­cause they each come with their own risks.

“At the end of the day, the more fac­tors you add — the more se­cure you are,” he said.


Google is test­ing out a new way of let­ting users log into its ser­vices via their smart­phones in­stead of pass­words.

Newspapers in English

Newspapers from Canada

© PressReader. All rights reserved.