Project Abacus: Google's plan to kill the password via biometric tracking

(disclosure: I am a Googler, but I have nothing to do with this project)<p>Passwords are problematic, easy to lose, easy to steal, but an issue with biometric identify verification is that you can no longer maintain multiple personas. Using a password with 2FA, you can quite easily maintain two sets of those credentials, assuming that the authority doesn&#x27;t demand proof of real name or such nonsense.<p>If you trust the authority, it&#x27;s no big deal. And, I trust Google... today. But do I trust Google tomorrow? I don&#x27;t yet know tomorrow&#x27;s Google.

&gt; And then we have fingerprints, which are very secure and onerous to imitate<p>Fingerprints are SO EASY to imitate that I taught a group of 10-12 years old to do it successfully with something as simple as a drinking cup, superglue an smartphone and a SLA printer.<p>You can cheat the Iphone sensor with no problems.<p>Everything you touch has your fingerprint on it. Secure! Ha!<p>A fingerprint taken from you works today and works tomorrow and it will work forever.<p>I prefer passwords or tokens that I could change, that you very much.<p>What Google wants it to do surveillance on everyone all day long. Their interest are different from ours.

&gt; Cisco engineer Shawn Cooley countered him saying, &quot;very cool until I break my leg or hand &amp; can&#x27;t auth to any services to get healthcare info since my behavior is diff.&quot; Messina said, &quot;you presume that your health records aren&#x27;t being managed by Verily. You would be wrong.&quot;<p>So Verily would be automatically sharing information with Abacus to modulate its user identification, and they feel can just start doing that because it&#x27;s also an Alphabet company.<p>This sets off alarm bells in my head. Is this the attitude toward privacy and data isolation at Alphabet&#x2F;Google? How long until these health records are also shared with Google&#x27;s advertising department? It tells me that they have no business managing health records at all.

The server side of major services already perform some very sophisticated probablistic authentication mechanisms. Ever had Google or facebook ask you to sign in again when you got off a flight or accessed a sensitive setting? You&#x27;ve experienced it firsthand.<p>Taking it down to the device level is just acknowledging the danger of loss or stolen second factors. Further, frameworks like tensorflow may allow the learning model to run directly on your phone, alleviating a lot of the concerns enumerated in this article.

&gt; And then we have fingerprints, which are very secure and onerous to imitate<p>Aaaaand there goes the article&#x27;s credibility. A pity, because there&#x27;s a real need for a cogent debate about this panopticon-as-password program.

The real problem is that bio-metrics are basically unchangeable. As soon as a database gets hacked or stolen, or whatever device does the recording has a vulnerability, your security with such systems is compromised forever -- not just at the original place that was breached, but with everyone else who uses the same metrics.

I am glad that Google is not focusing <i>exclusively</i> on using biometric factors to implement two or more factor authentication solutions these days, because there are quite a lot of valid arguments against widespread use of it. Biometric properties are limited in number (couple of irises, bunch of fingers), cannot be replaced (at least not with a replacement that can serve as a biometric source of identification), cannot be shared (voluntarily), and are considered by many as an unreasonably invasive manner of identifying yourself. Needless to say that the notion of a microphone analysing my every move and utterance sounds like something from a dystopian sci-fi novel.<p>Instead of using biometric properties as a second factor, I find user-friendly and reusable hardware tokens to be very much preferable. Fortunately Google is also a backer of FIDO U2F, which outlines a standard for hardware tokens the size of a thumb — but unlike your actual meaty appendages, it is replaceable and not quite as bloody to lend to someone in case he or she has a valid reason to access your accounts for you. These work with USB, NFC, and Bluetooth LTE, on any OS, with (soon) any modern browser (currently only Chrome supports it, but Mozilla is committed to implement this technique in Firefox as well), and can be used for an infinite number of services; without the token being identifiable across services.<p>Succeed in making having one of these tokens on your (physical!) key-chain as common as having the key your front door there, and use the economy of scale to make these tokens as cheap as a happy meal; <i>that</i> would be an acceptable way to beef up security for Joe Sixpack and privacy conscious netizens alike, but leave my body alone.

Calling it a trust score instead of a confidence score was pretty stupid of them and lends to the whole creepy vibe mentioned in the title.

Maybe it&#x27;s too obvious or maybe I&#x27;m completely missing something, but seems a &quot;fatal flaw&quot; in this scheme is the fact that not everyone owns a smartphone, or even uses web services enough to develop much of an identifiable &quot;profile&quot;. Smartphones are fragile, easily lost, not always available or reliable, making their use for the purpose seem far less than optimum.<p>Furthermore, how high a level of security is needed depends on the situation. Sometimes passwords guard fairly trivial risk exposure, like belonging to some newsgroup to make occasional comments. Hardly any personal info to leak in such cases and simple measures will do just fine.<p>OTOH my health records needs to be protected far more vigorously, but why would I trust that security to a third party entity like Google? I&#x27;d much rather have security for the EHR managed within the EHR system itself, and whatever is adopted, I doubt it would look a whole lot like what&#x27;s proposed in the article.

Nowhere in this thread&#x2F;article is any mention of the Credential Management draft[0]. This is something I expect to see in canary in the next yr and a half.<p>[0] - <a href="http:&#x2F;&#x2F;w3c.github.io&#x2F;webappsec-credential-management&#x2F;" rel="nofollow">http:&#x2F;&#x2F;w3c.github.io&#x2F;webappsec-credential-management&#x2F;</a>

Has anyone published precise technical details about what this actually does? The writeup here makes it sound like it&#x27;s being pitched as a replacement for network logins or two-factor authentication, which would be an unmitigated disaster – can&#x27;t rekey, client compromises are irrecoverable, etc.<p>There&#x27;s certainly a tradition of academics without security experience pitching that concept but it&#x27;d be surprising for it to get very far at Google given how many qualified security people work there and the actual YouTube video makes it sound like this is just being pitched as an alternative phone unlock mechanism.<p>I don&#x27;t see anything in there suggesting that it&#x27;s being pitched as a replacement for either network passwords or two-factor authentication. Has anyone seen another source for anything that leaves the device or is this just a reporter jumping to conclusions?

This sounds bad. We are already forced to use almost exact voice to give voice commands. Now we will be forced to walk the same, speak every so even if you are alone in the room and be sure we dont break our habits. For me this sounds bad. I will be waiting for Google to prove me I am mistaken.

There&#x27;s still a lot that can be done to improve passwords without eliminating them. Perhaps the single biggest step is to encourage password managers that can auto-generate strong passwords. I seem to recall an article recently showing that the biggest difference between normal people and security professionals was the use of password managers.

This is disconcerting. I don&#x27;t like the idea of biometric and other characteristic data being used to identify me, but at least with fingerprint sensors, retina scanners and other such devices I am aware what is happening and give consent each time. This system proposes to silently identify me by the way I type, click or use a device, constantly learning and improving. No doubt the processed data, like a signature, will reside in the cloud and eventually be used identify users on any device they happen to be using. Convenience above all else, yet again.

I didn&#x27;t watch the linked I&#x2F;O presentation, but I clicked through to the Ars Technica article. Are there any details that suggest this would be more than just v2 of fingerprint unlock?<p>aka optional, local and circumventable with a password if my fingerprint isn&#x27;t recognized?

I recently changed internet providers, and now google refuses to let me access my account from home.<p>I&#x27;ve tried telling google it was me attempting access, but no luck. They still forbid access.

Why not simply use a smartwatch in a 2FA approach.