Google Tests Signing Into Accounts Using Your Phone, No Password Required (venturebeat.com) 108
An anonymous reader writes: Google's battle against poor passwords continues. The company is now testing a new Google Account option that lets users login using their phone, skipping the part where you have to enter your password. The feature uses your phone to authenticate your identity by bringing up a notification that allows you to grant or deny access to your account. Google confirmed it was testing the feature with a small group of users.
Re: I'm about to solve the problem another way (Score:5, Insightful)
This is Google Real names v2. They didn't like the backlash against them the first time but they want to propagate a unique ID to identify everything you do, so they make it easy for you to *use* any persona you have to log into their services. It's just a matter of time until you've logged in with each of your real life personas through all the devices and accounts you own, and every time they swallow one more chunk of your life history.
Re: (Score:1)
Google Authenticator over Wi-Fi (Score:3)
Multiple users have a wired phone line are going to be cheesed off.
Google could offer a list of carriers that sell service on Nexus phones. Or Google could offer an authenticator app [google.com] that works over Wi-Fi on tablets and on phones whose cellular service has expired. Or, as the featured article points out, passwords will continue to work for the foreseeable future. I can't verify whether Google is already offering passwordless authentication on Wi-Fi devices because the featured article didn't specify which devices are compatible beyond a screenshot stating "To use your phon
Re: (Score:2)
Re: (Score:1)
Your handing your real buying, surfing, searching information over with after every log in linked to a real gov ID, phone network ID for free.
Re: (Score:1)
Your weird English makes me suspect that you're from somewhere else, but what you're saying is definitely false in the USA.
Re: I'm about to solve the problem another way (Score:1)
Re: (Score:2)
So Android is out, spycrosoft 10 is out, and not sure I want in on the walled garden. Cyanogen and what else are options?
What is NDS? (Score:2)
Stop carrying a cell phone. I stopped carrying a cell phone earlier this year, and I no more miss it than when it was the 80s or 90s and I didn't have one.
And what device for, say, roadside assistance if one's car or bike breaks down? And what device for someone who doesn't drive to call to arrange a ride? Back in the 1980s and 1990s, one could use a payphone, but payphones have since been removed from service after the ubiquity of cell phones made them less profitable to maintain. Or is it a good idea to carry a PDA and a dumbphone as separate devices?
There are a [number] of other devices, with and without network connectivity, that you can use as a PDA for taking notes or pictures while you're on the go.
Any that aren't made by Apple? For some reason, the Android device makers never came out with a solid 4" to
Re: (Score:2)
Apps! (Score:1)
Use an app to app an app on the app app while apping other apps!
Apps!
Re: Apps! (Score:1)
Re: (Score:1)
Re: (Score:1)
Yep, now hackers don't need to hack your password anymore, they just need your phone and your pin (or crack the phone, which isn't hard on Android). Bingo, every stolen phone becomes a stolen identity! Progress!
Re: (Score:2)
If we change from "biggest danger is trojans and password-file hacks anywhere in the world" to "biggest danger is someone physically stealing my phone and cracking my PIN", that seems like a really, really big win. Especially if you like Hello Kitty [computerworld.com].
Single factor authentication (Score:5, Interesting)
This is still single-factor authentication. All they've done is change from "something you know" to "something you have". And, since that "something you have" can break or get lost or stolen, I'm not sure they haven't just replaced one problem with another.
Passwords suck, but nobody can steal your password from your work/library/restaurant table while you're off taking a dump (or whatever).
Re: (Score:1)
Re: (Score:3)
If somebody has access to your phone, they have access to your email. If they have access to your email they have access to all your accounts since they can reset the passwords quite easily.
So make sure you have a secure lock screen on that phone to turn it into two-factor auth.
Re: (Score:2)
Re: (Score:3)
If somebody has access to your phone, they have access to your email.
Maybe in Google's fantasy world, but certainly not in the world I now live in, using my actual phone, they don't! Having any possible connection between my phone and my email would be a bloody stupid thing to do, given the "security" of most phones.
I guess Freedom Bug should have qualified it with "For values of 'you' that include 99% of smartphone users."
Re: (Score:2)
There are some applications which are good at separating mail from the device. Divide comes to mind (which was bought by Google.) Touchdown is another app that I have used since 2010 for Exchange, and it can be configured to keep E-mail encrypted and separated from the OS.
iOS has a version of Touchdown, as well as MS Outlook, both offer separation and PIN protection.
The advantage of using one of these apps, especially in a BYOD environment, is if the Exchange admin issues a remote device wipe, it just kil
Re: (Score:2)
It's two factor. Phone and fingerprint.
Re: (Score:2)
Re: (Score:3)
No. That was just HTC with their custom implementation. Android's native system uses (and requires) the phone's secure storage area that is hardware protected (similar to Android Pay and Apple's secure storage). Samsung also use secure storage for their custom fingerprint scanner.
It was only ever HTC doing their own thing.
Re: (Score:2)
All they've done is change from "something you know" to "something you have".
Theyve switched from "something that can be extracted by torture or extortion" to "something commonly lost and easily stolen". Great.
Now when you lose your phone, instead of being out $500 and minor hassles, you're out all your bank accounts, your entire online existence and major hassles.
Re: (Score:2)
Now when you lose your phone, instead of being out $500 and minor hassles, you're out all your bank accounts, your entire online existence and major hassles.
We're talking about email here. I already don't need a password to check email on my phone so if you steal my phone you get my email anyways. I don't see how this decreases security at all. You can argue that security on phones is too lax but this doesn't really make it any worse. I've never had my phone stolen but if I did, I would realize it in a matter of minutes and then would quickly need to change all my passwords anyways as my phone already has the keys to everything with or without this change.
Re: (Score:2)
Re: (Score:2)
If you really want to write an anonymous first post, did you try expanding the story, right-clicking the title, and choosing "open in new tab"?
WTF? (Score:3, Insightful)
My phone is stolen/broken/lost..and now I can't use my laptop to get into my email?
"You won’t need your password to sign in, but you can always use it if you want to"
And after a while of not using that password...you've completely forgotten it.
Re: (Score:2)
Like many folks, I quit wearing or carrying a watch at least 10 years ago due to the fact I already carry a mobile phone that tells me what time it is. If and when these two devices converge into a Dick Tracy Two-Way Wrist TV, then I might adopt one of those, but until then, there's no reason to carry round a second device whose functionality is merely a subset of that provided by the other.
CA-53W vs. phone as a pocket watch (Score:2)
there's no reason to carry round a second device whose functionality is merely a subset of that provided by the other.
s/merely/nearly/ is more like it. If you're using your phone as a pocket watch, it's hard to pull your phone out with things in both your hands. And your phone probably can't switch among time, date, stopwatch, and calculator activities with a button that you can feel for instead of having to look down for.
I love my CA-53W.
Re: (Score:2)
I'm sorry...but not everything needs to revolve around the 'phone'. My phone is stolen/broken/lost..and now I can't use my laptop to get into my email? "You won’t need your password to sign in, but you can always use it if you want to" And after a while of not using that password...you've completely forgotten it.
So make sure that you have backup password reset options configured, like SMS to the phone of a trusted friend or two, and some one-time codes printed out and stored in a safe place.
Also, it wouldn't surprise me if the new feature actually does require you to use your password once in a while, specifically to ensure you don't forget it. Android does that for phones with fingerprint authentication, so you don't forget it.
Re: (Score:2)
There will be an alternative way to sign in, so losing your phone won't lock you out. It will be like current 2FA on Google, where you need a backup option.
Re: (Score:2)
And after a while of not using that password...you've completely forgotten it.
You should never have known it to begin with. Your password should be like the line to get into an Insane Clowns Posse concert: random, long, and difficult. Use lastpass to manage them.
Sounds great, until your phone gets stolen (Score:2)
Re: (Score:2)
Re: (Score:2)
Citation: "iPhone thefts down thanks to Apple 'kill switch'" by Amanda Schupak [cbsnews.com]
Accessing Google without a password (Score:2)
To those saying that if a thief steal my phone, they would then have access to my password-less Google account, I reply: Ha! My phone is locked with a password! Take that you evil guy!
No thank you (Score:2)
What that means is that I don't have a lock screen on my phone. You hit the power button, pull the ring up, and you're in. Why do I do this?
1) Much more convenient
2) Email on my phone is a major PITA
3) I don't trust my phone enough to access my money though it
4) If I lose my phone and it's found, the finder can open my phone and easily get my address/email (an app I wrote).
OTOH, it's an unaviodable login. (Score:1)
There needs to be a recovery password (Score:2)
They need to issue a recovery password for every account. This would be a serial number in case the account ever gets hijacked. It can only get you in to reset your password. It could be written down and stored in a safe or in a safety deposit box. And it cannot be changed. It would be displayed only one time by the website and never be visible again to anyone. So you click on the link, it says "record this" and you write it down and put it in a safe. And that link would never work again.
Yes
Re: (Score:2)
They need to issue a recovery password for every account. This would be a serial number in case the account ever gets hijacked. It can only get you in to reset your password. It could be written down and stored in a safe or in a safety deposit box. And it cannot be changed. It would be displayed only one time by the website and never be visible again to anyone. So you click on the link, it says "record this" and you write it down and put it in a safe. And that link would never work again.
Yes yes, I know, you hate the idea.
They already offer this for their 2-factor system. They issue you 10 single use keys that you can use in place of the code generate by the phone app. It works almost exactly as you described. There is no reason that it couldn't easily be carried over to this system.
It is actually an improvement. (Score:2)
People who eschew the "convenience trumps security" mentality and are willing to jump through the hoops for better security this approach does not offer much. But we
Re: (Score:2)
Mobile data in the United States hovers around 1-2 cents per MB. A single authentication request will likely take less than 0.05 MB.
NO. No no no no. (Score:2)
DO. NOT. WANT.
Seriously, your phone gets stolen and now you're really fucked. What kind of brainiacs think this shit up??
FFS, repeat after me: Your phone is not your life. Your phone is not the most important thing in the universe. Your phone should not hold the keys to your kingdom. And losing your phone should not immediately put your personal info, email, banking, and other critical information at risk.
Re: (Score:2)
Shia, is that you as an old guy (that old now?)? I do agree with you. No thanks! I don't even own a mobile phone.
Re: (Score:2)
Shia, is that you as an old guy (that old now?)?
No, I'm not Shia, but I was channeling him.
How about all the android security flaws? (Score:2)
As far i know, the smartphone Oses are still on their infancy in terms of actual safety and have a *LOT* of security flaws that sometimes are unpatched because the mobile operator locked the whole stuff up.
This sounds to me like a great way to give all the google accounts to the first one that come up with a virus that break and steals the credentials of those devices.
photo next (Score:1)
Next will be phone login and using the camera to verify you have the phone,
face or fingerprint, even retina scan ?
Might give Google all knowledge about you,
but at least it will be guaranteed identification.
It will make people feel more secure about online transactions, etc.
Re: (Score:2)
Emulation - Find out how it works and create a way to emulate it.
Newer Android devices contain a secure keystore [android.com] that can't be emulated quite so easily, as the device key in the Trusted Execution Environment won't chain back to a manufacturer trusted by Google.
Phones are NOT secure. (Score:1)
SMS messages are not encrypted, and anyone with your IMEI number can program a phone to be 'your' phone.
This just takes security completely out of your hands into the NSA/FBI/gooberment's hands.
This is a stupid idea and makes it EASIER to get your credentials.
No thanks. (Score:2)
I don't even own a mobile phone and will never give them any phone numbers.
A million minus one myriad and two (Score:2)
You've listed 10,002 sites (Yahoo, Facebook, and one myriad of others) that require a phone number. One could instead choose to abstain from those 10,002 sites and use one of the the 989,998 other sites that don't require a mobile phone number.
Easier access to your personal data (Score:2)
Now each app will be able to get full access to your Google account, vacuum up e-mail, etc.
Not that they didn't have already, but not being covert access removes any grounds for class action lawsuits.
Hey, you agreed to it give the app full access to your account the moment you (insert action here).
Not their only battle (Score:2)
"Google's battle against poor passwords continues."
Their battle against VPNs continues as well. Each time I check my mail with my VPN active I get blocked or I have to change my password _again_.