Google has announced that it is to start replacing passwords as a method of verifying identity online for Android users.
In an August 12 Google Security Blog posting, Dongjing He, a Google software engineer, and Christian Brand, a Google product manager, explain that “new security technologies are surpassing passwords in terms of both strength and convenience.” Bearing this in mind, they continue, Google is “happy to announce that you can verify your identity by using your fingerprint or screen lock instead of a password when visiting certain Google services.”
What does this mean?
Truth be told, very little at this point. Consider it a flagging of the intent to move to a passwordless future, in much the same way that Microsoft has signaled an intention to replace Windows 10 passwords for 800 million users. In both cases, the common denominator is FIDO2 authentication.
The FIDO Alliance, which stands for Fast Identity Online, is an industry body on a mission to solve the problem of passwords through the use of open standards to drive technologies that can securely replace them. FIDO2 is a set of such standards that enable logins backed by strong cryptographic security. The changes that Google is making come “as a result of years of collaboration between Google and many other organizations in the FIDO Alliance and the W3C,” the announcement stated. W3C is the World Wide Web Consortium, and it recently approved a standard for a web authentication application programming interface (API) called WebAuthn, after three years of talking and testing.
This is the first time that Google has enabled the same biometric credentials, your fingerprint, to be used by both native Android apps and web services. Register your fingerprint once on your smartphone and then use it for both securely accessing your apps and web services, which makes it something of a big deal for the future.
For now, though, it is limited to just the Google Password Manager service. There is no indication as to when you will be able to use your fingerprint, or PIN, to access Gmail for example. But hey, you have to start somewhere, right?
When is Google starting the password replacement process?
The move to a passwordless future for accessing Google services has already actually started. According to the announcement, the change is an immediate one. However, there is a caveat: the rollout starts with Pixel Android devices only but will become available to “all Android 7+ devices over the next few days.”
With the latest statistics showing that there are now 2.6 billion active Android devices, and 68% of them running Android 7 or later, that means 1.7 billion people could be in line for passwordless logins to Google.
Is this a good thing for Google security?
Just how good this is for security remains open to debate. While there can be little doubting that password compromise is often at the heart of the data breach reports you read about, that has less to do with the password mechanism itself than it does with the way the user implements it. Password reuse is rife, as are weak passwords that are easily and quickly broken by criminals with applications and computing power devoted to doing just that. Combining weak passwords with reuse is asking for trouble, and quite often gets it.
By moving to biometrics such as a fingerprint, the user can maintain a good strength of security in that it is never sent to the Google servers; it remains securely stored on your device with just a “cryptographic proof” of a verified scan sent instead. Something that is a fundamental part of the FIDO2 design, and rightly so.
However, as a report in Ars Technica stated, “While courts aren’t unanimous, they frequently grant more latitude to defendants who refuse to divulge passwords, since doing so amounts to testifying against oneself. Biometric information, by contrast, is often regarded as evidence that investigators can confiscate.” There is, sadly, always going to be a trade-off between convenience and security when push comes to shove.
However, for most people, most of the time, the biometrics win out.
Mainly because people don’t “do passwords” right, many security professionals recommend the use of a password manager which enable the average user to create strong and unique passwords for every site or service, store them securely and handle the login process automatically, so you never have to remember a password again.
Except one, your master password to that password manager vault of course.
Are passwords dead now?
On September 10, 2013, it was reported that Heather Adkins, director of security and privacy at Google, had said that “passwords are done at Google,” during an expert panel conversation. Ever since, there have been more and more reports that Google is killing off the password, that it will soon be like the parrot from the Monty Python sketch: “This password is no more. It has ceased to be. It’s expired and gone to meet its maker.”
As of now, the password looks safe for some time yet. While these moves towards “passwordless” are generally to be welcomed, they do not mean the password is dead or even terminally ill. Passwords will remain a security feature, even if only in the background and hidden from the user most of the time, for the foreseeable future.