Google’s creepy plan to kill the password
[bold]The password may be broken, but is 24/7 biometric tracking really any better?[/bold]
In the grab bag of Google/Alphabet’s big projects for 2016 is Project Abacus. It’s basically the company’s plot to kill the password in cold blood, by replacing it with smartphone user authentication via an uncrackable collection of biometric readings.
Abacus would lock or unlock devices and apps based on a cumulative “trust score” — as your phone continually monitors and recognizes your location patterns, voice and speech patterns, how you walk and type, and your face (among other things).
Like many things Google, it sounds miraculous. Your phone will just know it’s you. And infosec pundits who believe we’re stuck in password-hell Groundhog Day because “regular” people won’t do security if it’s inconvenient, will rejoice.
Former Googler Chris Messina sounded ecstatic about it on Twitter, saying that Abacus would beat the current gold standard, two-factor authentication, since losing access to SMS wouldn’t break the whole system.
Cisco engineer Shawn Cooley countered him saying, “very cool until I break my leg or hand & can’t auth to any services to get healthcare info since my behavior is diff.” Messina said, “you presume that your health records aren’t being managed by Verily. You would be wrong.”
During its first public demo at Google’s I/O conference, Regina Dugan claimed that with its “trust score” method, Project Abacus “may prove to be ten-fold more secure than just a fingerprint sensor.” And it’s easy to believe this could be true.
Chris Messina ❄︎ ✔@chrismessina
Alphabet’s #ProjectAbacus is algorithmic/probabilistic user identity & trust scoring. HUUUGE – https://t.co/iAg2r2YY4K
For keeping out attackers, the password is a manageable solution that can range from weak to tough — and right now, “killing the password” is a trendy set of words. Regular password systems are considered the weakest, especially ones that require a password to be short and simple.
Coming more into fashion now is two-factor authentication. This typically combines login with a text message or email you need as a second step for verifying it’s really you. It’s tougher to hack, and this year it’s being phased in for banking customers by federal mandate. And then we have fingerprints, which are very secure and onerous to imitate, although a thumbprint can be obtained by physical force. Instead of any of these current “front door locks” on our phones, accounts and logins, someone using Abacus would … actually do very little.
Google would do all the work. Correction, the work is already being done. All the data and constant monitoring needed by Abacus is already happening with your smartphone. Like its contemporaries Facebook and Apple, Google is already tracking and recording you up the… you know. That’s why law enforcement loves it when suspects use smartphones.
To make Abacus use our tracked information as a security system, it’s only a matter of putting it all together and giving it a shiny front-end. What it also requires, however, is constant, invasive surveillance and access to some pretty intimate records.
Great idea, scary in real life.
But as tech giants chew up the privacy landscape in their determination to become everything-in-one, is this a natural solution for user security? Or is this just another boneheaded tech idea that’s gonna be way too creepy to catch on?
My money’s on Project Abacus ending up a time-honored (hi Glass!), well-intentioned, and out-of-touch (I miss you Reader!) moment of Alpha-Goog self-indulgence.
Abacus would ostensibly roll out Android devices with a simple software update — a touchy subject for its users, who are bitterly accustomed to getting left out of the latest versions of things. Users who are all too often left out of the security loop with patches and updates.
Perhaps securing Android itself might be the most awesome thing to do first. I’m not exactly sure how I feel about an app collecting literally everything possible about me to create a “trust score” dossier running on Android, considered by some to be the most hacked operating system on the planet.
In the end, I’ll agree that Project Abacus is trying to solve a user security problem that is in dire need of a fix.
However, this problem isn’t going to be solved at the user level. An unbeatable password system would only to stop attackers from getting in if the security of everything around it is perfect.
Meaning, you could agree to Google’s Project Cavity Search and swim in a pool of security superiority all you want, but when your bank gets popped by an Eastern European crime syndicate, you’re still just as screwed when your data hits darknet sites.
The real problem isn’t that passwords suck, it’s that data collection on us has gotten waaaay out of our control. And most data dealers are terrible at security.
I get that Google can’t solve the bigger problem for consumers, namely everyone else’s security failures, and is instead trying to make our own front line security better. It’s about time everyone was passionate about this.
But just imagine the potential of a different approach. What if instead of trying to Orwell the password into the past, Alpha-Goog instead focused its brainpower on giving us a tool to reign in the tracking and sales free-for-all that’s currently going on with our data.