Google to Kill Android Passwords

Google has announced at their annual developers’ conference that before the end of the year, Android users will be able to log in to services using something other than a password. The news confirms earlier rumors that a combination of a user’s face, typing pattern and how they move will be used instead of simply typing in a password.

Testing is scheduled to begin in June of the company’s new “Trust API,” and will initially be tested with “several very large financial institutions”, according to Daniel Kaufman, Google’s head of the Advanced Technology and Projects group.

The Trust API was first created under the codename Project Abacus that was introduced in 2015. Abacus’ aim was to kill passwords by mixing together multiple weaker indicators into one solid piece of evidence that you are who you say you are.

According to Kaufman, the Trust API could use biometric indicators, such as your face shape and voice pattern, as well as some less obvious ones indicators including how you move, how you type and how you swipe on the screen. The service will continually run in the background of the phone and keep track of whether those indicators match how it knows you normally use your phone.

At this year’s conference, Google showed how Trust API has built on the Project Abacus base. The service will be open to third parties, allowing other organizations to verify one’s identity through the API. Initially, banks will use it to verify customers logging in through Android, but “by the end of the year”, it should be available to every developer says Kaufman.

Crucial to the API is opening up the service’s estimates of security. Rather than giving a binary answer, as a password does, the API can hand over a score to indicate how confident it is that you really are you. If the institution needs more confidence, it can feed back and ask for additional mechanisms: more biometric data, for instance, or an old-style password.