Google’s plan to eliminate passwords in favor of systems that take into account a combination of signals – like your typing patterns, your walking patterns, your current location, and more – will be available to Android developers by year-end, assuming all goes well in testing this year. In an under-the-radar announcement Friday afternoon at the Google I/O developer conference, the head of Google’s research unit ATAP (Advanced Technology and Projects) Daniel Kaufman offered a brief update regarding the status of Project Abacus, the name for a system that opts for biometrics over two-factor authentication.
As you may recall, Project Abacus was first introduced at Google I/O last year, where it was described as an ambitious plan to move the burden of passwords and PINs from the user to the device.
Today, secure logins – like those used by banks or in the enterprise environment – often require more than just a username and password. They tend to also require the entry of a unique PIN, which is generally sent to your phone via SMS or emailed. This is commonly referred to as two-factor authentication, as it combines something you know (your password) with something you have in your possession, like your phone.
With Project Abacus, users would instead unlock devices or sign into applications based on a cumulative “Trust Score.” This score would be calculated using a variety of factors, including your typing patterns, current location, speed and voice patterns, facial recognition, and other things.
Google has already implemented similar technology on Android devices (running Android 5.0 and higher) called “Smart Lock,” which lets you automatically unlock your device when you’re in a trusted location, have a trusted Bluetooth device connected, when you’re carrying your device, or when the device recognizes your face. (Smart Lock for Passwords, meanwhile, simply saves passwords to websites and apps, and auto-fills them for you upon your next visit).
Project Abacus is a bit different. It runs in the background on your device to continually collect data about you to form its Trust Score.
This score is basically about how confident it is that you are who you say you are. If your score isn’t high enough, apps could revert back to asking for passwords. ATAP had also said previously that apps could require different Trust Scores. For example, your bank might require a higher score than a mobile game.
“We have a phone, and these phones have all these sensors in them. Why couldn’t it just know who I was, so I don’t need a password? I should just be able to work,” explained Kaufman Friday afternoon at Google I/O, describing the problem with password-based authentication.
He said that engineers in Google’s search and machine intelligence groups have since turned Project Abacus’s ideas into something called “Trust API,” and this API is entering testing with banks starting next month.
In June, “several very large financial institutions” will begin their initial testing of the Trust API, said Kaufman.
“And assuming it goes well, this should become available to every Android developer around the world by the end of the year,” he added.
Kaufman quickly moved on to other ATAP projects, like its connected clothing, modular smartphone, radar sensors, and more. And while the other technologies are fun to contemplate, this “Trust API,” as it’s called, could introduce more of a real-world change in how users interact with apps on their smartphones. Plus, it offers a new way of securing the content in apps – if someone who was not you gained access to your phone and was able to unlock it, all the apps could be locked down automatically simply because that person, as determined by the software, was not you.
Last year, the company said that Project Abacus was in trials with 33 universities across 28 states. Bringing it to banks is a significant step forward. And by making it something Android developers can implement in their own apps by year-end, Google could have its own unique advantage in terms of user authentication to compete with rival systems, Apple’s fingerprint-based TouchID.