Selasa, 13 Agustus 2019

Android just took a step towards eradicating passwords for good - Wired.co.uk

Getty Images / nickylarson974

In May 2015, Google set out a bold vision: it was going to get rid of passwords on Android phones. A year later, under the codename Abacus, it pledged to bring password-free logins to the operating system's apps by the end of 2016.

Fast forward three years and the password is still alive and being abused – the most used password is still 123456 (closely followed by other obvious combinations). But now, Google has taken a step towards actually eliminating some password reliance through Android and Chrome.

Starting from this week people using Android phones will be able to log in to web services in Chrome by using a fingerprint stored on their device. It's a small step closer to a password-free world. Phone owners running at least Android Nougat, which was released in 2016, can use their fingerprint to get into web services.

"New security technologies are surpassing passwords in terms of both strength and convenience," Google software engineer Dongjing He and product manager Christiaan Brand wrote in a blog post outlining the change.

But there's one big caveat: at the moment the login system is hugely limited. In fact, the only web service that it's possible to access without you password is Google Chrome's password manager. If you navigate to passwords.google.com through Google's web browser on your Android and tap on a previously saved piece of information, you'll be prompted to use the fingerprint saved on your phone to access the data.

This method only works because of three sets of internet standards: FIDO2, W3C WebAuthn and FIDO CTAP. The trio outline technical methods that web services should aim to use when it comes to user logins and passwords. The ultimate aim is to allow users to login and register for services using devices they trust and extra authenticating information, such as fingerprint or facial data.

The membership of the FIDO Alliance, which is responsible for the standard of the same name, shows the tech industry's desire to do something about poor user passwords. FIDO is made up of Facebook, Intel, PayPal, Intel, Visa, Amazon, and more companies, and has been working on helping to replace passwords for years. It's only just starting to make some traction though.

The FIDO2 standard is better than user passwords as it protects login details using public/private key encryption. This works by storing a private encryption key on a device – a phone or a security key, for instance – and a public key is held by the company your account belongs to. When a person tries to sign in to their account, the private key is unlocked by the use of a fingerprint or other biometric and it's matched with the public key to access your information.

In November 2018, Microsoft launched its biometrics login system, Windows Hello, on its Edge browser. This means people can sign in to their Microsoft account without having to provide a password. Microsoft accounts include Outlook, Office, and Skype.

At present Google's expansion of combining Android and Chrome for logging in to services is very limited. The number of times you need to access the service's password manager – if you even use it – is pretty infrequent, but the step forward precedes a major rollout like Microsoft's.

"These biometric capabilities are now, for the first time, available on the web, allowing the same credentials be used by both native apps and web services," He and Brand said. But even this limited rollout is significant because Google has vastly more web power than Microsoft. Android has more than two billion monthly users and Chrome is used by approximately 70 per cent of people browsing the web.

Google could easily introduce the passwordless feature across its other services. In a talk last year Brand said the bigger vision using the web standards was to allow people to easily login to services without having to re-enter all of the details each time. "We want to make things easier for the user," he said.

During a demonstration he showed how Google's services could be at the centre of this: once a user had signed in to a banking account on their Android phone, they would then be able to access the same website on a MacBook with a fingerprint scanner through Chrome, without entering a password again.

The company hasn't yet announced when Gmail and its myriad of other services will support Android logins without passwords, but change is coming. "As we continue to embrace the FIDO2 standard, you will start seeing more places where local alternatives to passwords are accepted as an authentication mechanism for Google and Google Cloud services," the company staffers wrote in their blog post.

More great stories from WIRED

💸 How the hell did Uber lose $5bn in three months?

♻️ The truth behind the UK's biggest recycling myths

🤷🏼 How is the internet still obsessed with Myers-Briggs?

🚬 England has an ambitious plan to eradicate smoking by 2030

🕵🏿 It's time you ditched Chrome for a privacy-first web browser

📧 Get the best tech deals and gadget news in your inbox

Let's block ads! (Why?)


https://www.wired.co.uk/article/android-chrome-login-fingerprint-biometrics

2019-08-13 11:15:00Z
52780351525065

Tidak ada komentar:

Posting Komentar