Infosec pros are moving beyond traditional passwords, and companies are expected to follow in the same direction.
Big companies like Google, with millions and billions of users that currently need to enter login credentials in order to access and used most of the company’s offerings, are seeing the writing on the wall: the password as an authentication method is reaching the end of the road.
And that’s despite the implementations of two-factor authentication. Though a more secure option, with 2FA the user still has to remember the password (which, if they’re doing it right, has by now become longer, more complex, and probably more difficult to remember), and take the additional step of entering a security code or plug in a dongle. Altogether, it has become a hassle for many.
As you may or may not know, the success of a service or product depends largely on how easy it is to use, and there’s always room for improvement. Google thinks so, too, and is apparently determined to increase security while decreasing login complexity.
Rita El Khoury reports that Reddit user Rohit Paul has become one of a small group of Google users that are currently testing a new way to sign in to their accounts without a password. Instead, they will be using their phones.
Once the feature has been set up – the compatible phone determined and the screen lock enabled – the user has to simply enter his email address when trying to log in to his Google account (e.g. on their computer). This will trigger the sending of a notification to the user’s phone, asking whether he’s trying to sign in from another device. Answering “Yes” will allow him to proceed into his Google account via this device.
For now, the user can still choose to “use your password instead” option if they want to or have to (they have lost their phone or its not available at the moment). Also, if Google detects something suspicious about the sign in attempt, they will ask for the password just in case.
Google has confirmed that the testing is being performed both by Android and iOS users, but didn’t share which phones are compatible with the service.
Google isn’t the first company trying to get rid of passwords. In March 2015 Yahoo has launched on-demand passwords, and offered the options for users to sign into their account using an SMS code. In October, they improved the option by introducing Yahoo Account Key, which uses push notifications instead of SMSs. In fact, the feature works very much like this one tested by Google.