Authentication is one of the tougher problems in security, and a lot of companies have thrown a lot of money at it for a long time. Google is one of those companies, and the company is testing a new scheme that allows users to access their accounts without using a password.
The system relies on a user having access to her mobile phone. Rather than typing in her username and password to access her Google account on a PC, the user would enter just her email on the computer. She then would get a message from Google on her phone asking if she wants to allow the login. Once she hits yes, she is logged in on the PC.
It’s a variant of the two-step verification system that Google, Apple, and other companies have implemented in recent years. Those systems require users to enter one-time passcodes in addition to their passwords in order to log in to their accounts on new devices. This allows users to protect against account-takeover attacks, which have become prevalent as the Internet has been flooded with usernames and passwords leaked from data breaches.
The new Google system, which was publicized by a Reddit user earlier this week, allows users to simplify that process. Once a user has logged into her Google account on her phone and set it up for the authentication scheme, she will only have to hit “yes” to allow new logins. Google has invited a small group of people to test the system, which works on Android and iOS. The scheme could provide another layer of protection against attacks such as phishing that are designed to steal users’ account credentials.
With this feature enabled, an attacker who has a victim’s username and password still wouldn’t be able to get access to the victim’s account without the user approving it on her phone. Users still can use their passwords to log in if they choose, which works as a fail-safe if they lose their phones, as well.
Photo from Flickr stream of Jon Russell.