• United States



Google’s Trust API: Bye-bye passwords, hello biometrics?

May 25, 20164 mins
AndroidData and Information SecurityMobile Apps

Google intends to kill off passwords, as well as allow Android apps to run instantly without installing the apps first

Bye-bye passwords. We’ve heard that a lot over the years, but Google has a plan to kill off passwords by the end of this year by replacing passwords with biometrics.

“We have a phone, and these phones have all these sensors in them,” Daniel Kaufman, said at Google I/O 2016 last week. “Why couldn’t it just know who I was, so I don’t need a password? It should just be able to work.” Kaufman heads up Google’s Advanced Technology and Projects (ATAP) research unit.

You may recall Project Abacus (video) being mentioned at Google I/O last year. It was tested across 28 states in 33 universities, so now Google intends to “get rid of the awkwardness” of two-factor authentication, as well as passwords. Instead, you will be authenticated by how you use your Android.

Trust API will run in the background, always keeping track of your biometrics, so it will know you are really “you” when you unlock your device. It will utilize some of the common biometric indicators you might expect, such as your face print, as well as others such as how your swipe the screen, the speed of your typing, voice patterns, your current location and even how you walk. Combined, it gives a cumulative “trust score.”

Kaufman said Trust API will roll out for testing to “several very large financial institutions” in June. If the testing goes well, then Trust API “should go out to every Android developer by the end of the year.”

TechCrunch explained that not all apps will require the same “trust score.” Logging into social media or a game might require a much lower score to prove your identity than logging into your bank account.

Last year, Google launched Smart Lock to automatically unlock your phone without using a password; it already works for Android Marshmallow.

If you are creeped out by the idea of Google collecting even more of your information, your biometrics this time, then Threatpost reported that “the sensor data used to generate ‘trust score’ would be locally processed and not sent to the Google cloud to be added to your digital dossier.”

Android Instant Apps

Let’s say your mom texts you something that would require an app you don’t currently have installed on your Android in order for you to open the link and answer her questions. You check out the app, the room it takes, the overly broad permissions and the access it requires, and you decide you don’t want to know what she’s talking about that badly. Android Instant Apps may change that scenario by allowing you to open the link without installing the app.

Michael Siliski, the Google product manager overseeing Instant Apps, wants to make the phone in your hand “a remote control for the real world.” The plan is to use deep linking so you can run Android apps “instantly” without first needing to install apps on devices running Jelly Bean (4.1) on up; that reportedly covers “over a billion users.” It could work for any Android app, so long as developers upgrade their existing apps. Hopefully it will just work without automatically granting permissions.

Phone Arena pointed out that developers would likely rather you install their full app, “but with Google promising to let the folks behind the apps on your homescreen monetize Instant Apps, and even integrate seamless mobile payments through Android Pay, it’s likely that many will follow anyway.”

That’s definitely a big change. But back to the example of your mom sending a link because she needs something technical explained to her: the days of refusing to install the app and thereby bypass giving your assistance may be numbered. The flipside is that simply answering the question by using Instant Apps would surely be faster than the many rapid-fire texts that follow with her describing the issue without much technical literacy until you finally “fix” the problem.

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.