Are Passwords Going the Way of the Dinosaurs?

Password on Mobile online banking

By now, most of us know the drill for logging into apps on our smartphones: Enter our username and password, and if we’ve set up two-factor authentication, a secret code or other piece of information. On some devices, you might be able to use a fingerprint scan to bypass the cumbersome login process (those little keys on the touchscreen can be tricky!) but most of the time, passwords are required.

If Google has its way, though, passwords will soon become a distant memory. According to a recent announcement, it’s possible that by the end of 2016, owners of Android devices will no longer need to enter passwords to access their smartphones and apps. That’s right: The days of a non-dictionary, alphanumeric combination of eight characters may be numbered.

Trust API

According to the Google announcement, the company’s Advanced Projects and Technology Division has been working on a new technology called Trust API. At the risk of oversimplifying, Trust API replaces passwords by instead relying on a number of factors to authenticate a user’s identity. These factors, which use the sensors already installed in smartphones, might include typing speed, facial recognition, location, and proximity to known Wi-Fi hotspots and Bluetooth devices. By combining readings from all of these factors, the device would calculate a “score,” which would then allow or deny access to the specific app being requested.

Because not all apps require the same level of authentication to run — you probably aren’t too worried about anyone accessing the calculator or Candy Crush without authorization — the Trust API scores would be tied to specific apps. Low risk apps, like games and basic functions, would require lower scores, theoretically allowing almost anyone access. High risk apps, like banking and social media, would require higher scores, preventing access by anyone other than you.

The idea behind Trust API is that it takes advantage of the “smart” in smartphone. Google developers liken the technology to a happy medium between a password and an actual human granting access. A password, in a sense, is little more than a key. You might lock your front door, but if someone has the key, they can walk right in to your home and take what they want — just like if they capture the password to an account, they can log in and steal information and you won’t notice until it’s too late. If someone is physically watching your home, or your online accounts, though, they will know that the person taking your things isn’t you, and can thwart entry before it’s too late.

Trust API, then, is designed to be a stronger gatekeeper to your accounts than a password. Instead of allowing anyone who knows the code through, the API checks what it knows about you against what it sees in the person attempting to gain access. It’s another layer of security, and one that’s fairly difficult for a criminal to duplicate.

Protecting Accounts in the Meantime

Trust API is currently in the testing stages, and Google expects that it could be rolled out to Android developers by the end of this year, and widely available in smartphones by the end of 2017.
In the meantime, that means that you need to continue to protect your Android device using the same tools and methods you use now. These include:

  • Installing antivirus protection to keep harmful viruses and malware from infecting your smartphone.
  • Learning the signs of phishing attacks and avoiding them.
  • Locking your device when not in use, and using strong passwords for all of your apps.
  • Only downloading apps from trusted sources.
  • Avoiding public Wi-Fi networks when accessing sensitive apps. It is very easy for a criminal to intercept data sent on public Wi-Fi networks, and entering usernames and passwords could be exposing your data. This is a problem that could be solved in part by Trust API.

Poor passwords and password management is one of the leading causes of data breaches, and has led to billions of dollars in losses for enterprises and individuals alike. Google’s Trust API has the potential to eliminate passwords from the security equation, making it not only easier to use our smartphones, but also safer and more secure.