A fair argument could be made that passwords are more of a hassle than they’re worth. They’re a pain to juggle, recall, and enter, and in most cases aren’t even secure enough to protect from the most common forms of malicious cracking — according to a survey by cybersecurity firm TeleSign, 21 percent of people use passwords that are 10 years old and 73 percent use duplicated passwords. That’s why companies from Twitter to Microsoft, with the approval of the White House, have launched ambitious plans to “kill the password” in recent years, and one reason why Google’s eschewing passwords entirely: according to a Reddit user, the Internet monolith is testing a password-free login system that relies on a smartphone for authentication.
In a thread on Reddit, rp1225 reported receiving an e-mail invitation to test a new Google login method: smartphone-based sign in. Instead of relying on a pass phrase or two-factor authentication to secure your account, the new system leverages your smartphone’s location data and security settings.
Here’s how it appears to work: after formally enrolling in the program, accepting an invitation for a private Google Group, selecting a compatible phone, and enabling a form of screen lock on said phone, logging in to your Google account would no longer require a password. Instead, a prompt would appear on your smartphone when you sign in on the Web.
The program’s very much a work in progress, an FAQ included in the invitation notes. Depending on the circumstances, enrolled users “may be asked to complete an extra step or two,” and password-based login isn’t disabled entirely; you can still use your old pass code in case your phone’s dead, lost, or missing. There’s a mechanism for enrolling a new phone, too (although the criteria for “compatible” phones isn’t exactly clear), and a way to opt-out of the new login system altogether.
The new system’s the latest of Google’s attempts to reduce reliance on passwords. In Android 5.1, the firm introduced On-Body detection, a system that measures your smartphone’s sensors to automatically bypass the lockscreen in certain scenarios. It joined the FIDO Alliance to develop password-free standards. And in 2013, Google’s security team experimented with a Yubico cryptographic card that, when slid into a USB reader, could automatically log into an associated Google account.
And Google has some even wackier ideas. In a paper published in the engineering journal IEEE Security & Privacy Magazine, Eric Grosse, Google’s vice president of security, and engineer Mayank Upadhyay envision a “smartphone” or “smartcard-embedded ring finger” that can authorize a computer via nothing more than a tap. That may not come to pass, but if there’s one thing that’s certain, it’s that the password is doomed. Might as well give your current crop of pass codes (“password12345,” anyone?) an early retirement.