Google's Abacus Project: It's All about Trust

Do you hate having to remember your password when you want to access a secure Web site? Well, that soon may be a thing of the past. Google has announced a new API that developers can use to identify you without messing around with passwords pet names. The new system (codenamed Abacus) should be ready for use by the end of the year.

Of course, Google currently supports OAuth 2, which enables users to log on to third-party sites with their Google account. As long as you're logged on with Google, accessing a secure site is as simple as clicking a button.

That seems simple enough—how can Google improve on that?

Well, there's always the case where you forget your Google password. And, what happens if someone else picks up your phone? Others easily could use OAuth's one-click mechanism to access your secure data.

Abacus works differently. It uses a wide range of different biometrics to verify the identity of the person holding the phone. It uses data from your phone's sensors to recognize you, and it combines multiple pieces of information, from your location to the way you type. Voice recognition and facial recognition also are a part of the system.

Third-party developers will access Abacus through the "Trust API", which will be integrated into the Android platform.

Most mobile devices lack dedicated biometric sensors, such as fingerprint readers or iris scanners. So Abacus uses only data that a regular Android phone can collect.

Every time you interact with your device, you send a stream of tiny signals that can be used to uniquely identify you. Most of these data points aren't enough to identify you, on their own, but taken together, they form a complete picture of the user.

The API is backed by a service that's constantly running, so it should be able to respond quickly if someone else starts using the phone. In a tech demo, Google engineers handed an Android phone back and forth. Each one typed a short phrase. The phone was able to identify the user within a split second.

But while the Trust API may be a boon for people with password amnesia, it does raise some concerns. To begin with, it's hard to be comfortable with a system that constantly monitors you.

The Trust API effectively spies on you, listening to your voice, using your phone's camera to peer at your face and tracking your position using satellites. Just a few years ago, this would sound like paranoid ravings. Today, it's a reality.

Although biometrics can be more secure than passwords, the idea of being under constant surveillance is unsettling. Even if we're OK with Google collecting this data, it makes a very tempting target. To identity thieves, stalkers and miscellaneous criminals, this information is precious too.

If they could break through Google's defenses, what would they do with your data? Could they exploit the API to spy on you in real time? Or could they use it to impersonate you, using some kind of "man-in-the-middle" attack?

Another issue is how the system would respond to changes in your regular pattern. If you hurt your hand and had to type differently, would it still recognize you? What if you had a cold?

The technology behind the Trust API is impressive, and it does address some of the shortcomings of outdated authentication systems, but are the risks too high?

______________________