We’ve written many times about the latest and greatest new technology that says it will supplant the password.
Of course, with password managers to take care of ch00sing c0MPl1c/\tEd p455WOrdz for us, and with two-factor authentication (2FA) to reduce the value of stolen or poorly-chosen passwords, you could argue that we no longer need to supplant passwords, because they’re easier than ever to use securely.
Password managers not only happily use passwords like 5G*wjcn@03lWRFq, where humans might end up going for PetsName99, but also associate passwords with specific websites, thus reducing the risk of being phished by putting a real password into a bogus web page.
2FA typically uses one-time login codes, delivered by SMS or generated by a special mobile app, that you need to enter along with your password, so that the password alone no longer lets crooks into your account.
Nevertheless, even if you use a password manager, you need a proper password for the password manager itself.
And even though 2FA makes things tougher for the crooks, it does add a small, extra step to the login process.
That’s enough inconvenience, known as friction in modern user interface jargon, to spur researchers worldwide to find ways of verifying who you are without asking you to enter long sTR1/\/gs of \/\/eird char4Ct3rz, especially if you’re using the fiddly virtual keyboards on today’s mobile phones.
What you really want
What you really want, say researchers into password replacement, is an authentication method that doesn’t involve a secret that you need to choose in the first place.
Nothing to memorise, and therefore nothing to forget; nothing that needs writing down; nothing that can easily be figured out or cloned by crooks; nothing that will ever need changing; nothing to type in.
In short: an automatic, or nearly-automatic, system that is at least as secure as 14 or more characters of randomly jumbled letters, digits, punctuations and emojis.
As you can imagine, solutions of this sort inevitably require some sort of biometric or behavioural data, such as your fingerprints, the pattern in your iris, your face, the way you speak and even, in one proposal we wrote up recently, the way your skull echoes. (Perhaps “how it conducts and reflects sound” is a less hollow way of putting that.)
There have been lots of problems with many of the password replacements proposed over the years.
For example, it turns out to be really easy to create dummy fingerprints – apparently, you can mould them from boiled-up gummi bears, or from liquid wood glue.
Face recognition needs to do sophisticated motion detection as well, lest a crook simply hold up a picture to the camera.
And most biometric solutions have the thorny issue that you can’t change your “password” if it should ever be compromised.
Google thinks it has the answer: build the biometric measurements into the device and the operating system itself by tracking some, any or all of how you type, speak, move, and otherwise conduct your online life…
…so that the device can vouch for you at any moment.
Google’s Advanced Technologies and Projects division, or ATAP for short, calls it Project Abacus, and it’s supposed to keep track of your behaviour as you work, and maintain a rolling score called a Trust Score.
As far as we can see, your Trust Score is a sort of probability measure that the person who’s been using your phone for the past few minutes is the same person that has used it for the days, weeks or months before that.
By interrogating the Trust Score at any moment, an app can decide how much access to give you.
For example, perhaps you’re a good enough imposter to start playing an online game, but not realistic enough to make in-game purchases?
Perhaps you can click Facebook Likes, but not change the account password?
Maybe you can pay bills to existing creditors but not remit money to new accounts?
Sounds good, but we challenge you to watch the video below without getting creeped out at least a little:
Google has announced that financial institutions will start trialling the Trust Score system as soon as next month (June 2016).
Considering how frequently we have written in recent years about the insecurity of mobile apps, notably how they often seem to make a mess of the cryptographic security that their desktop counterparts have enjoyed for years…
…let’s hope that Google isn’t putting the security cart before the horse.