Google is testing out a way to sign into their services, a feature that lets some users confirm their identity by using their smartphones. The move is not only just the latest sign that the tech industry is trying to get users away from passwords, but it’s also a sign that companies still aren’t quite sure how to replace them yet.
Passwords are almost impossible to escape right now, but keeping track of the dozens you need just to navigate your daily online life can be maddening. And they’re also almost universally hated: Creating strong, unique passwords can feel like pulling teeth and reusing them can leave you vulnerable when a service you rely on gets breached. Moreover, data from those almost inevitable breaches shows that people keep sticking to such ridiculously easy to guess passwords as "123456" or, well, "password."
"Right now it’s relatively convenient to have a simple password," said Alvaro Bedoya, the executive director of Georgetown Law’s Center on Privacy & Technology. "But as hacks increase and breaches proliferate, people are starting to realize that also may be dangerous."
Many big sites and services now offer two-factor authentication, an added layer of protection that often works by making you enter a code that’s delivered to your phone via text messages or an app. Google’s new test seems to be a lot like just taking the password part out of this common two-factor equation, and it appears to be very similar to a system Yahoo launched for its mail app users earlier this year.
"We’ve invited a small group of users to help test a new way to sign in to their Google accounts, no password required," a Google spokesperson confirmed, adding that the days of "password" and "123456" are numbered.
The system is pretty straightforward, according to a Reddit post from user rp1226 that appears to have first brought the test to light. "You authorize your phone to allow you to log in to your account. You go into a computer and type in your email. Then you get a message on your phone to allow the login. If you hit yes, the computer logs into your Google account without a password," he wrote.
The test works for both Android and iOS devices and users can still use their password to login as normal if they don’t have their phone handy. If you lose your phone, the device’s lock screen should protect your accounts from falling into the wrong hands, and you can revoke access to the feature from a device at any time, according to a copy of documentation accompanying the test posted by the Reddit user.
But there are some pitfalls to the phone-only approach: If someone is able to access your phone while it’s unlocked, they could potentially log in to your account. (Although, presumably, if they have your unlocked phone they’ve already gotten to a treasure trove of your personal data that probably includes your inbox.)
Another booming password alternative is biometrics, which use physical characteristics like your fingerprints to prove who you are.
Fingerprint scanning is already happening with newer iPhones around the world and in some workplaces. The method can be appealing because unlike passwords, you aren’t really able to forget your fingerprints. But that’s also a potential problem: Your fingerprints are permanent, so they can’t be changed even if, say, they are among a massive trove of prints compromised by a hack at a major government agency.