It’s a trust thing Igor Stevanovic/Alamy Stock Photo

Goodbye, Password1. Goodbye, 12345. You’ve been hearing about it for years but now it might really be happening: the password is almost dead.

At Google’s I/O developer conference, Daniel Kaufman, head of Google’s advanced technology projects, announced that the company plans to phase out password access to its Android mobile platform in favour of a trust score by 2017. This would be based on a suite of identifiers: what Wi-Fi network and Bluetooth devices you’re connected to and your location, along with biometrics, including your typing speed, voice and face.

The phone’s sensors will harvest this data continuously to keep a running tally on how much it trusts that the user is you. A low score will suffice for opening a gaming app. But a banking app will require more trust.


Banned passwords

It’s part of a trend trying to build security and privacy into design, instead of making it the responsibility of the user, a way of doing things that long ago became untenable, says Angela Sasse at University College London. “Don’t make it the individual’s problem,” she says. “It’s not uncommon for people to spend 30 minutes a day on various authentication tasks.”

Partly as a result of this, people stubbornly refuse to budge from old faithfuls like 12345 – even in an age of seemingly never-ending password leaks and hacks. Last week Microsoft banned the most commonly used passwords including password, 12345, and qwerty across several of its services including Skype and Outlook.

Google hinted that it would be collaborating with major banks, but banks have begun to look into this independently, says Sasse. “Many banks are already authenticating transactions based on a suite of background information.” HSBC announced voice recognition in February.

Trust me, it’s better

Especially interesting are behavioural biometrics like keystroke recognition, in which some banks have already shown an interest. “Behavioural biometrics have higher recognition rates and are more accurate than classic biological markers,” says Sasse.

Alternative ways of authenticating users have other benefits too. Kaufman said that the trust method is better than two-factor authentication because it does not break down if phone signal is unavailable.

However, several people have expressed concerns in the past week about whether injuries could affect their characteristic way of typing, for example, and impact the trust score sufficiently to prevent access to apps. “What if I break my arm?” one engineer asked on Twitter.

Developer kits will be available by the end of 2016.