Google: Let the machines remember the password

The next wave of mobile authentication will take security out of the hands of humans and put it into the devices those humans carry, if Google’s Advanced Technology and Projects group has anything to say about it.

ATAP’s Project Vault is a secured-computing environment on a microSD card complete with an ARM processor, a near field communications chip, a secure operating system, antenna and 4G of storage. Data can be secured locally, and communications between two Project Vault-enabled devices are encrypted end-to-end.

Project Vault was unveiled at the 2015 Google I/O conference. According to Regina Dugan, the head of Google’s Advanced Technologies and Projects Group, it can run on Android, Windows, OS X and Linux, and can be used for mobile devices, desktop computers and Internet of Things endpoints.

Vault is already up and running at Google and will first be targeted to enterprise users in verticals that require encryption and highly secure communications.

The ATAP team also entered its horse into the password-killer race, with a plan to eliminate alphanumeric strings in favor of a suite of behavioral biometrics -- a solution that Google says has 10 times the security of the fingerprint sensors available today.

Project Abacus is a solution that collects data during user sessions so the phone can “learn” the habits of its owner. That information – including touchscreen input, location, how the phone is moving, what connections it uses, the brightness settings, the apps and phone usage – is, when taken as a whole, a better authentication solution than any single- or two-factor method of identification.

“A combination of sensors would allow you and the interactions with the device to become your authentication,” Dugan said in her address. “Your keystroke patterns, not what you type but how you type.”

Eventually, Google hopes to add varying levels of security depending on what authentication an app would require.

So far, Project Abacus has collected more than 40 terabytes of data from 1,500 donors and has delivered results although it’s a long way from a marketable product.

Google isn’t the only company trying to get rid of passwords, of course. Microsoft will use facial and fingerprint recognition with Windows 10, and the Fast Identity Online Alliance has granted certifications to 31 post-password products.

About the Author

Derek Major is a former reporter for GCN.

inside gcn

  • Google Map of free sandbags in Los Angeles

    When simple is best: Google Maps for disaster prep

Reader Comments

Thu, Jun 11, 2015 HItoshi Anatomi

In a world where we live without passwords, say, where our identity is established without our volitional participation, we would be able to have a safe sleep only when we are alone in a firmly locked room. Is this what we want? If they think of displacing passwords with biometrics, they should think twice. Whether iris, face, fingerprint, typing, gesture, heartbeat or brainwave, biometric authentication could be a candidate for displacing the password if/when (only if/when) it has stopped depending on a password to be registered in case of false rejection while keeping the near-zero false acceptance. Threats that can be thwarted by biometric products operated together with fallback/backup passwords can be thwarted more securely by passwords alone. We could be certain that biometrics would help for better security only when it is operated together with another factor by AND/Conjunction (we need to go through both of the two), not when operated with another factor by OR/Disjunction (we need only to go through either one of the two) as in the cases of Touch ID and many other biometric products on the market that require a backup/fallback password, which only increase the convenience by bringing down the security. In short, biometric solutions could be recommended to the people who want convenience but should not be recommended to those who need security. It may be interesting to have a quick look at a slide titled “PASSWORD-DEPENDENT PASSWORD-KILLER” shown at

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group