Google has set its sights on killing the user password… at least on Android devices. Big news from the Google I/O event as Google has unveiled the Trust API, which allows developers to use sensor and biometric data for authentication.
What’s the Problem with Passwords?
The one thing everyone loves to hate when it comes to the internet – the user password - is under fire. Actually… it’s been under fire for a long time now. Research has shown again and again that passwords are not a very good way to protect sensitive data.
The constant conflict between “security" and “convenience" is no different when it comes to passwords. In an ideal world, people would use a long string composed of completely random characters, numbers and symbols. Furthermore, a unique password would be used for every site or application the user uses.
Unfortunately, the more complex they become, the more people are likely to forget their passwords. The longer the password, the more easily forgotten they are. Force users to change passwords and what do they do? They try to use the same password for every service or application. These are all big no-no’s and essentially defeat the purpose of a password.
Enter Google and the Trust API.
Google is taking a stab at killing off the password on Android devices by introducing the Trust API. Formerly announced as a Google Advanced Technology and Projects group (ATAP) project called “Abacus" early last year, the Trust API does what simple passwords cannot.
In essence, the Trust API – or Application Programming Interface - gives developers a framework for securing their applications using a number of security systems and metrics on the device. A Trust Score will be generated based on the metrics the device gathers and will automatically allow or deny access to applications based on whether or not your Trust Score is high enough. Some applications and websites will require a higher Trust Score – a bank for example, while others may require a very low score – starting a local app.
The Trust Score will be generated based on a number of metrics you would expect including device location, face scanning and fingerprint, but also based on things you wouldn’t normally think of such as your typing speed or the way you speak. Taken one at a time, these metrics are not very secure. It’s easy to spoof your fingerprint or bypass the face scanner, but taken together, these metrics will help define the real “you."
Sounds Great – Is This Just Pie in the Sky?
The good news is that Google has already been testing this on real world data. Google partnered with several universities, provided loads of data and has proven the Trust API works. This summer Google will be running tests with some high profile banks to see if Trust API meets their needs before potentially rolling out to all developers later this year.
It may take another year for apps and popular sites to start using the Trust API, but at this point is seems like Google really will push forward with this.
This is a pretty exciting change. Passwords have been around since the dawn of computing and although biometrics and two-factor authentication have helped improve the security of systems, it hasn’t done much to improve the usability of systems. Google appears to have the best of both worlds – a highly secure system that end users won’t even notice. Maybe that never-ending conflict between security and convenience will be able to take a break once the Trust system comes out.