Google to kill passwords on Android, replace 'em with 'trust scores'
Hello, privilege escalation attacks
Google is planning to use “trust scores” to kill off traditional passwords on Android.
The internet giant wants to get rid of password logins, at least for Android apps, by 2017. Google outlined its plans at its I/O conference last week.
Google's Trust API technology would use a variety of metrics to create a trust score.
Factors such as typing speed, vocal inflexions, facial recognition and proximity to familiar Bluetooth devices and Wi-Fi hotspots would be used to calculate the score.
Games and basic tools would be run even if only a low trust score was achieved, while more sensitive apps such as banking and webmail would need the biometric and location-based data to line up and provide a high score.
This implies that a device could be unlocked to apps even with a low score, which provides an avenue for more privilege exploitation attacks. In contrast, if a passcode is set and forgotten, users are locked out and unable to access their data – in theory. It sounds like a trade-off between security and convenience, a classic security equation.
On the other hand, Android users typically allows access to all applications on their device without requiring password entry once a device is unlocked.
Richard Lack, director of sales EMEA at customer identity management firm Gigya, said Google’s plans are welcome as part of a broader push away from passwords which be characterised as a broken technology.
“The future lies in methods of authentication without passwords, which consumers clearly favour, both in terms of convenience and enhanced security,” Lack commented.
“Biometric authentication is a powerful enabler, allowing businesses smart enough to deploy it to significantly increase rates of registration, gaining data and insight about their customers, while also increasing customer security. This is a win/win scenario which sounds the death-knell for awkward and insecure passwords sooner than we may imagine.” ®