
Project Abacus: Google's plan to kill the password via biometric tracking - nitin_flanker
http://www.engadget.com/2016/01/15/googles-creepy-plan-to-kill-the-password/
======
skj
(disclosure: I am a Googler, but I have nothing to do with this project)

Passwords are problematic, easy to lose, easy to steal, but an issue with
biometric identify verification is that you can no longer maintain multiple
personas. Using a password with 2FA, you can quite easily maintain two sets of
those credentials, assuming that the authority doesn't demand proof of real
name or such nonsense.

If you trust the authority, it's no big deal. And, I trust Google... today.
But do I trust Google tomorrow? I don't yet know tomorrow's Google.

~~~
akerro
>I trust Google... today.

This is really hard problem for our society. A lot of people say 'nothing to
hide', most people don't have a problem with gov. surveillance, only because
we live in a semi-democratic countries and a lot of them were not hurt by
communistic governments. People in Germany and Poland look differently at such
things, they still remember Stasi (Ger) and SB with WRON(Pl). Clearly our
governments want more power and information and it's not for our safety, this
situation is reminding people that communism can be turned into democracy, and
democracy into communism, very quickly.

~~~
ar4s
I think most people understand your last point as you meant it, but Democracy
and communism are Apples and Oranges.

------
Htsthbjig
> And then we have fingerprints, which are very secure and onerous to imitate

Fingerprints are SO EASY to imitate that I taught a group of 10-12 years old
to do it successfully with something as simple as a drinking cup, superglue an
smartphone and a SLA printer.

You can cheat the Iphone sensor with no problems.

Everything you touch has your fingerprint on it. Secure! Ha!

A fingerprint taken from you works today and works tomorrow and it will work
forever.

I prefer passwords or tokens that I could change, that you very much.

What Google wants it to do surveillance on everyone all day long. Their
interest are different from ours.

------
mintplant
> Cisco engineer Shawn Cooley countered him saying, "very cool until I break
> my leg or hand & can't auth to any services to get healthcare info since my
> behavior is diff." Messina said, "you presume that your health records
> aren't being managed by Verily. You would be wrong."

So Verily would be automatically sharing information with Abacus to modulate
its user identification, and they feel can just start doing that because it's
also an Alphabet company.

This sets off alarm bells in my head. Is this the attitude toward privacy and
data isolation at Alphabet/Google? How long until these health records are
also shared with Google's advertising department? It tells me that they have
no business managing health records at all.

~~~
sbw1
> Is this the attitude toward privacy and data isolation at Alphabet/Google?

It is a Twitter remark by an ex-Googler who had nothing to do with Abacus and
never worked at Verily. That is, some combination of snark and wild-ass
speculation.

------
mikecb
The server side of major services already perform some very sophisticated
probablistic authentication mechanisms. Ever had Google or facebook ask you to
sign in again when you got off a flight or accessed a sensitive setting?
You've experienced it firsthand.

Taking it down to the device level is just acknowledging the danger of loss or
stolen second factors. Further, frameworks like tensorflow may allow the
learning model to run directly on your phone, alleviating a lot of the
concerns enumerated in this article.

~~~
idlewords
I've never been prompted to reauthenticate to Facebook or Google based on
travel, actually, and if I was, I would be paranoid about a MITM attack. Has
this happened to anyone?

~~~
sirsar
Facebook in the past has required me to authenticate during travel by showing
me pictures in which my friends are tagged, and asking me to name them. Of
course this was made more difficult by my friends' tendencies to abuse the
image tagging feature...

------
alainv
> And then we have fingerprints, which are very secure and onerous to imitate

Aaaaand there goes the article's credibility. A pity, because there's a real
need for a cogent debate about this panopticon-as-password program.

~~~
idlewords
The best thing about fingerprint authentication is that you can (literally)
hack up a way for up to ten people to share a device.

~~~
eco8008
You also can (literally) cut access to service.

------
Figs
The real problem is that bio-metrics are basically unchangeable. As soon as a
database gets hacked or stolen, or whatever device does the recording has a
vulnerability, your security with such systems is compromised forever -- not
just at the original place that was breached, but with everyone else who uses
the same metrics.

~~~
acdha
Yes - my rule is that if the other side knows you're using biometrics, the
system is too dangerous to use.

The weird part is how unnecessary the Mission Impossible stuff is: replacing
passwords is a legacy hassle so if you're going to do that there's no reason
not to do so with a flexible public key design which doesn't make assumptions
about the client hardware and can be patched when it's compromised.
(Biometrics might be a fine usability option for the client store)

------
Freak_NL
I am glad that Google is not focusing _exclusively_ on using biometric factors
to implement two or more factor authentication solutions these days, because
there are quite a lot of valid arguments against widespread use of it.
Biometric properties are limited in number (couple of irises, bunch of
fingers), cannot be replaced (at least not with a replacement that can serve
as a biometric source of identification), cannot be shared (voluntarily), and
are considered by many as an unreasonably invasive manner of identifying
yourself. Needless to say that the notion of a microphone analysing my every
move and utterance sounds like something from a dystopian sci-fi novel.

Instead of using biometric properties as a second factor, I find user-friendly
and reusable hardware tokens to be very much preferable. Fortunately Google is
also a backer of FIDO U2F, which outlines a standard for hardware tokens the
size of a thumb — but unlike your actual meaty appendages, it is replaceable
and not quite as bloody to lend to someone in case he or she has a valid
reason to access your accounts for you. These work with USB, NFC, and
Bluetooth LTE, on any OS, with (soon) any modern browser (currently only
Chrome supports it, but Mozilla is committed to implement this technique in
Firefox as well), and can be used for an infinite number of services; without
the token being identifiable across services.

Succeed in making having one of these tokens on your (physical!) key-chain as
common as having the key your front door there, and use the economy of scale
to make these tokens as cheap as a happy meal; _that_ would be an acceptable
way to beef up security for Joe Sixpack and privacy conscious netizens alike,
but leave my body alone.

------
deadowl
Calling it a trust score instead of a confidence score was pretty stupid of
them and lends to the whole creepy vibe mentioned in the title.

~~~
cpeterso
"Login failed. You are only 23% you. Please be more you to login again."

------
jrapdx3
Maybe it's too obvious or maybe I'm completely missing something, but seems a
"fatal flaw" in this scheme is the fact that not everyone owns a smartphone,
or even uses web services enough to develop much of an identifiable "profile".
Smartphones are fragile, easily lost, not always available or reliable, making
their use for the purpose seem far less than optimum.

Furthermore, how high a level of security is needed depends on the situation.
Sometimes passwords guard fairly trivial risk exposure, like belonging to some
newsgroup to make occasional comments. Hardly any personal info to leak in
such cases and simple measures will do just fine.

OTOH my health records needs to be protected far more vigorously, but why
would I trust that security to a third party entity like Google? I'd much
rather have security for the EHR managed within the EHR system itself, and
whatever is adopted, I doubt it would look a whole lot like what's proposed in
the article.

~~~
FLUX-YOU
> I'd much rather have security for the EHR managed within the EHR system
> itself

I would trust Google's security team over most EHRs. I base this on finding a
few sql injection flaws and single DES usage in one I worked on but I don't
have broad experience in many EHRs.

~~~
jrapdx3
Yeah, I know some EHRs have been attacked re: inadequate security, though
AFAIK major vendors in my local area seem to have been doing OK recently.
However, it only takes small errors here or there to open up significant
holes, a fact I've brought up many times when discussing "interoperability"
among EHRs, a favorite subject of governmental planners.

I think the problem trusting Google might not lie with their "security team"
(they probably have a number of such teams), but rather with privacy policies
and guarantees. IOW Google is no doubt capable of providing security,
questions arise about enforcing constraints necessary to assure the high level
of privacy required by EHR systems.

------
ejcx
Nowhere in this thread/article is any mention of the Credential Management
draft[0]. This is something I expect to see in canary in the next yr and a
half.

[0] - [http://w3c.github.io/webappsec-credential-
management/](http://w3c.github.io/webappsec-credential-management/)

------
acdha
Has anyone published precise technical details about what this actually does?
The writeup here makes it sound like it's being pitched as a replacement for
network logins or two-factor authentication, which would be an unmitigated
disaster – can't rekey, client compromises are irrecoverable, etc.

There's certainly a tradition of academics without security experience
pitching that concept but it'd be surprising for it to get very far at Google
given how many qualified security people work there and the actual YouTube
video makes it sound like this is just being pitched as an alternative phone
unlock mechanism.

I don't see anything in there suggesting that it's being pitched as a
replacement for either network passwords or two-factor authentication. Has
anyone seen another source for anything that leaves the device or is this just
a reporter jumping to conclusions?

------
funkyy
This sounds bad. We are already forced to use almost exact voice to give voice
commands. Now we will be forced to walk the same, speak every so even if you
are alone in the room and be sure we dont break our habits. For me this sounds
bad. I will be waiting for Google to prove me I am mistaken.

~~~
deadowl
If you combined this with multifactor authentication (e.g. fallback to a
password for a 100% trust score), it could potentially match your change in
biometrics against a diagnostics knowledge base and use any new data following
to further train the diagnostics knowledge base. Of course, that would have to
be opt-in with patient confidentiality as strongly defended as possible (there
needs to be laws and regulations defending privacy with this model), but it
would be an interesting source of data collection.

------
KingMob
There's still a lot that can be done to improve passwords without eliminating
them. Perhaps the single biggest step is to encourage password managers that
can auto-generate strong passwords. I seem to recall an article recently
showing that the biggest difference between normal people and security
professionals was the use of password managers.

~~~
ape4
Password managers could be included with the OS - like notepad. But deep
integration with the OS would be bad.

~~~
skj
It's not clear to me what you're suggesting - your two statements are, at
least superficially, at odds with one another.

~~~
addicted
The difference I'm guessing is deep integration would be like IE and Windows
in the pre lawsuit days.

Basically, OSes should come with a password manager app by default, but users
can download their own to replace it which would replace the default one. Much
like how you can set your default browser on desktop OSes.

~~~
ape4
Yup that's what I was saying.

------
3princip
This is disconcerting. I don't like the idea of biometric and other
characteristic data being used to identify me, but at least with fingerprint
sensors, retina scanners and other such devices I am aware what is happening
and give consent each time. This system proposes to silently identify me by
the way I type, click or use a device, constantly learning and improving. No
doubt the processed data, like a signature, will reside in the cloud and
eventually be used identify users on any device they happen to be using.
Convenience above all else, yet again.

------
magicalist
I didn't watch the linked I/O presentation, but I clicked through to the Ars
Technica article. Are there any details that suggest this would be more than
just v2 of fingerprint unlock?

aka optional, local and circumventable with a password if my fingerprint isn't
recognized?

------
haspoken
I recently changed internet providers, and now google refuses to let me access
my account from home.

I've tried telling google it was me attempting access, but no luck. They still
forbid access.

------
amelius
Why not simply use a smartwatch in a 2FA approach.

~~~
Freak_NL
Probably because hardly anyone owns one. They are luxury items.

