Passwords for Android Apps May Go the Way of the Dinosaur
Next month, several large financial institutions are set to begin testing a Trust API (application program interface) that uses machine intelligence for user authentication, Dan Kaufman, director of Google's Advanced Technology and Projects group, said at the Google I/O developer conference last week.
Depending on the success of those tests, the Trust API is expected to become generally available to Android developers by the end of this year, he said.
Authentication by Face Detection
Project Abacus was the vision of Deepak Chandra, who until recently was head of mobile authentication at Google, Kaufman said. (Chandra's LinkedIn profile indicates he recently became director of engineering at Addepar, a financial technology company that -- like Google -- is headquartered in Mountain View, Calif.)
"We have a phone and these phones have all these sensors in them," Kaufman said, explaining the idea behind the project. "Why couldn't it just know who I was so I don't need a password?"
While Kaufman didn't offer information about what kinds of personal details the Trust API would use to verify a user's identity, research papers published by Chandra earlier this year seem to offer some clues. For example, a study published in March that was written by Chandra along with researchers from Rutgers and the University of Maryland described how to provide continuous authentication through "partial face detection" via a smartphone's front-facing camera.
Growing Security Concerns
Financial services and insurance companies are increasingly frustrated with the security shortcomings of passwords to authenticate employees and legitimate users of services, noted an article in the Wall Street Journal in September. In addition to Google, companies like Wells Fargo and Aetna are also working on algorithms to verify identities through behavioral analysis, according to the article.
"In today's world, mobile devices are being used not only for verbal communication but also for accessing bank accounts and performing transactions, managing user profiles, accessing e-mail accounts, etc.," Chandra and his fellow researchers said in the paper on face detection. "With increasing usage, there is a growing concern about ensuring the security of users' personal information on these devices."
An incident reported last week highlighted some of the security problems inherent in the use of passwords. After some 117 million e-mails and passwords for LinkedIn users were found for sale online -- four years after the initial hack was discovered -- analysis showed the top passwords used by many hundreds of thousands of those users included such easily guessed strings as "123456," "linkedin" and "password."
Google last week also announced the launch of its new Safe Browsing API version 4. First released in 2007, the Safe Browsing API is designed to protect Internet-connected devices, including mobile phones, from security threats like malware and phishing attacks.