Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Get HideMyAss! VPN, PC Mag's Top 10 VPNs of 2016 for 55% off for a Limited Time ×
Security Google

Google Tests Signing Into Accounts Using Your Phone, No Password Required (venturebeat.com) 108

An anonymous reader writes: Google's battle against poor passwords continues. The company is now testing a new Google Account option that lets users login using their phone, skipping the part where you have to enter your password. The feature uses your phone to authenticate your identity by bringing up a notification that allows you to grant or deny access to your account. Google confirmed it was testing the feature with a small group of users.
This discussion has been archived. No new comments can be posted.

Google Tests Signing Into Accounts Using Your Phone, No Password Required

Comments Filter:
  • by Anonymous Coward

    Use an app to app an app on the app app while apping other apps!

    Apps!

  • by nmb3000 ( 741169 ) <nmb3000@that-google-mail-site.com> on Tuesday December 22, 2015 @08:05PM (#51168461) Journal

    This is still single-factor authentication. All they've done is change from "something you know" to "something you have". And, since that "something you have" can break or get lost or stolen, I'm not sure they haven't just replaced one problem with another.

    Passwords suck, but nobody can steal your password from your work/library/restaurant table while you're off taking a dump (or whatever).

    • If somebody has access to your phone, they have access to your email. If they have access to your email they have access to all your accounts since they can reset the passwords quite easily.

      So make sure you have a secure lock screen on that phone to turn it into two-factor auth.

    • by AmiMoJo ( 196126 )

      It's two factor. Phone and fingerprint.

      • Is this the same fingerprint that Android was, until a very recent release, storing as an unencrypted image that all apps had access to?
        • by AmiMoJo ( 196126 )

          No. That was just HTC with their custom implementation. Android's native system uses (and requires) the phone's secure storage area that is hardware protected (similar to Android Pay and Apple's secure storage). Samsung also use secure storage for their custom fingerprint scanner.

          It was only ever HTC doing their own thing.

    • All they've done is change from "something you know" to "something you have".

      Theyve switched from "something that can be extracted by torture or extortion" to "something commonly lost and easily stolen". Great.

      Now when you lose your phone, instead of being out $500 and minor hassles, you're out all your bank accounts, your entire online existence and major hassles.

      • Now when you lose your phone, instead of being out $500 and minor hassles, you're out all your bank accounts, your entire online existence and major hassles.

        We're talking about email here. I already don't need a password to check email on my phone so if you steal my phone you get my email anyways. I don't see how this decreases security at all. You can argue that security on phones is too lax but this doesn't really make it any worse. I've never had my phone stolen but if I did, I would realize it in a matter of minutes and then would quickly need to change all my passwords anyways as my phone already has the keys to everything with or without this change.

    • No, it's two factor authentication - something you have (a particular phone) and something else which you have (connection to a mobile network). So for me, that's a non-starter.
  • WTF? (Score:3, Insightful)

    by YrWrstNtmr ( 564987 ) on Tuesday December 22, 2015 @08:12PM (#51168511)
    I'm sorry...but not everything needs to revolve around the 'phone'.

    My phone is stolen/broken/lost..and now I can't use my laptop to get into my email?

    "You won’t need your password to sign in, but you can always use it if you want to"
    And after a while of not using that password...you've completely forgotten it.
    • I'm sorry...but not everything needs to revolve around the 'phone'. My phone is stolen/broken/lost..and now I can't use my laptop to get into my email? "You won’t need your password to sign in, but you can always use it if you want to" And after a while of not using that password...you've completely forgotten it.

      So make sure that you have backup password reset options configured, like SMS to the phone of a trusted friend or two, and some one-time codes printed out and stored in a safe place.

      Also, it wouldn't surprise me if the new feature actually does require you to use your password once in a while, specifically to ensure you don't forget it. Android does that for phones with fingerprint authentication, so you don't forget it.

    • by AmiMoJo ( 196126 )

      There will be an alternative way to sign in, so losing your phone won't lock you out. It will be like current 2FA on Google, where you need a backup option.

    • And after a while of not using that password...you've completely forgotten it.

      You should never have known it to begin with. Your password should be like the line to get into an Insane Clowns Posse concert: random, long, and difficult. Use lastpass to manage them.

  • If this became popular I'd predict a sharp increase in the theft of smartphones. Bad idea, Google.
  • To those saying that if a thief steal my phone, they would then have access to my password-less Google account, I reply: Ha! My phone is locked with a password! Take that you evil guy!

  • I don't do anything sensitive on my phone. That includes everything from banking all the way down to email. I just don't.

    What that means is that I don't have a lock screen on my phone. You hit the power button, pull the ring up, and you're in. Why do I do this?

    1) Much more convenient
    2) Email on my phone is a major PITA
    3) I don't trust my phone enough to access my money though it
    4) If I lose my phone and it's found, the finder can open my phone and easily get my address/email (an app I wrote).
  • Not great. Now Google will have unrestricted access to my activity. Right now, I can download a 'log out' app to unhitch me from the forced marrriage to Google. This will be Google's work around for that, too; an unavoidable, continuous login.
  • They need to issue a recovery password for every account. This would be a serial number in case the account ever gets hijacked. It can only get you in to reset your password. It could be written down and stored in a safe or in a safety deposit box. And it cannot be changed. It would be displayed only one time by the website and never be visible again to anyone. So you click on the link, it says "record this" and you write it down and put it in a safe. And that link would never work again.

    Yes

    • They need to issue a recovery password for every account. This would be a serial number in case the account ever gets hijacked. It can only get you in to reset your password. It could be written down and stored in a safe or in a safety deposit box. And it cannot be changed. It would be displayed only one time by the website and never be visible again to anyone. So you click on the link, it says "record this" and you write it down and put it in a safe. And that link would never work again.

      Yes yes, I know, you hate the idea.

      They already offer this for their 2-factor system. They issue you 10 single use keys that you can use in place of the code generate by the phone app. It works almost exactly as you described. There is no reason that it couldn't easily be carried over to this system.

  • Vast majority of the people have no lock screen on their laptops, pads, home computer and phones. And they also let their browser save the passwords. For such people this phone authentication is an improvement. Even if they lose any other device, as long as they don't lose their authentication phone, they are safe. At least safer than before.

    People who eschew the "convenience trumps security" mentality and are willing to jump through the hoops for better security this approach does not offer much. But we

  • DO. NOT. WANT.

    Seriously, your phone gets stolen and now you're really fucked. What kind of brainiacs think this shit up??

    FFS, repeat after me: Your phone is not your life. Your phone is not the most important thing in the universe. Your phone should not hold the keys to your kingdom. And losing your phone should not immediately put your personal info, email, banking, and other critical information at risk.

  • As far i know, the smartphone Oses are still on their infancy in terms of actual safety and have a *LOT* of security flaws that sometimes are unpatched because the mobile operator locked the whole stuff up.
    This sounds to me like a great way to give all the google accounts to the first one that come up with a virus that break and steals the credentials of those devices.

  • Next will be phone login and using the camera to verify you have the phone,
    face or fingerprint, even retina scan ?
    Might give Google all knowledge about you,
    but at least it will be guaranteed identification.
    It will make people feel more secure about online transactions, etc.

  • by Anonymous Coward

    SMS messages are not encrypted, and anyone with your IMEI number can program a phone to be 'your' phone.

    This just takes security completely out of your hands into the NSA/FBI/gooberment's hands.

    This is a stupid idea and makes it EASIER to get your credentials.

  • I don't even own a mobile phone and will never give them any phone numbers.

  • Now each app will be able to get full access to your Google account, vacuum up e-mail, etc.
    Not that they didn't have already, but not being covert access removes any grounds for class action lawsuits.

    Hey, you agreed to it give the app full access to your account the moment you (insert action here).

  • "Google's battle against poor passwords continues."

    Their battle against VPNs continues as well. Each time I check my mail with my VPN active I get blocked or I have to change my password _again_.

All syllogisms have three parts, therefore this is not a syllogism.

Working...