Google takes another stab at killing passwords

password

Sayonara, “password,” and fare thee well, “123456”: Google’s testing a new way of logging in with mobile phones instead of flimsy (though depressingly, persistently popular) passwords.

Google last month confirmed to Android Police that it’s testing the feature with a small number of users on both Android and iOS mobile operating systems.

The publication quoted a Google spokesperson who gave this password-menacing statement:

We've invited a small group of users to help test a new way to sign in to their Google accounts, no password required. 'Pizza', 'password' and '123456' - your days are numbered.

Do we really need a new way to sign into our Google accounts?

It’s not a bad idea, given that passwords are often the weakest link in authenticating that users are who they say they are.

As the yearly lists of the top bad passwords show, many don’t use passwords that are complex enough.

Others reuse passwords, setting themselves up for account break-ins when online crooks acquire logins from breaches or third-party sites, such as happened recently to Fitbit.

Two-factor authentication (2FA), also known as two-step verification (2SV), can help, but some users find it a hassle to go through the extra step when logging in.

Android Police first got wind of the potential new password-less feature from a user invited to participate in the test: Rohit Paul, also known as Reddit user rp1226.

The test group, called Sign-in Experiments at Google, can be found on Google Groups.

The link is public, but membership is by invitation only, so you can’t view or participate unless you’ve been tapped for participation.

Based on the screenshots and the emailed invitation Paul posted, it looks like the new feature works by first setting it up on a compatible phone.

Paul’s phone, a Nexus 6P, was approved. It’s not clear what made it acceptable.

Of course, the feature could prove troublesome if the phone were to fall into the wrong hands.

While Google recommends using a lockscreen or Touch ID to avoid other people abusing the feature if they get physical access to a device, it doesn’t appear that such features are mandatory to participate in the test.

On Dec. 22, Paul posted Google’s invitation, along with screenshots showing how the password-less sign-in works.

Here are the authentication steps for users participating in the test, as Paul described them:

  1. Type in your email address on the login screen for Google, at google.com, and hit next.
  2. The next page tells a user to check their phone and enter the challenge.
  3. A notification appears on the phone: “Trying to sign in?”
  4. When he opened the phone notification, Paul was asked if he were trying to sign in from another computer. He answered yes.
  5. Next, a user would enter the challenge, which in Paul’s case was a two-digit number.
  6. That signed him into Google’s page on his computer.

Testers can still opt for typing in passwords whenever they choose – say, when the feature isn’t available or their phone isn’t handy.

Also, Google says it might ask users to enter their password if they spot something phishy about how a user’s logging in.

Readers, would you opt for going through those steps to log in if given the chance? Or do you think, as some commenters suggested, that you could type (your long, strong password) faster and would rather skip the extra step?

Will the people who really need this, the ones who use 123456 as their universal key to everywhere, use it?

And if it proves popular, could widespread use of Google as a single sign-on provider make this just another single point of failure – a bulky, metal and plastic reused password?

Please share your thoughts below.

Image of easy password courtesy of Shutterstock.com