A Journey to Kill the Password. How far is too far?

Photo: Samuel Zeller

Intelligent security or invasive surveillance? Imagine systems that authenticate you by the way you interact with devices, making it no longer necessary to remember passwords. The system learns your behaviors and begins to know you. It learns your face, your voice, fingerprints, body temperature and your schedule down to the millisecond. Your device knows how you type, what words you choose, which patterns you swipe, your walking routes and current location. The system learns everything it can about you.

Then that system makes it judgments on you. When you wake up in the morning as soon as you pick up your phone, it unlocks. You get out of bed, go to your computer, place your hands on the keyboard and it logs you in. You head outside, walk up to your car and when you touch the door handle it opens. The journey to create this new system has already started through a multi-factor authentication platform under Google and their Trust API.

The Advanced Technology and Projects (ATAP) group at Google is a self proclaimed band of pirates. Their goal is to research and develop projects for the sake of radical innovation. The projects they work on use motion sensing and cameras to map physical space in GPS denied areas. They work on making digital tattoos that wear off and can be used with a sentry system as an entry token. This is a tattoo you wear on your arm which will allow you access into a building until it expires and disappears from your skin. They embed sensors woven in the fabric in your clothing that egress feedback. They’re attempting to create a truly connected manner in which we live our daily lives. Questions that linger in this system are how do you secure and authenticate this data, and how do you implement this system of Trust?

Smart Lock. Smart Lock, is the first technological step in bringing a new level of intelligence into the security space. You can automatically unlock your device when you’re in a trusted area based on your location, have a trusted Bluetooth device connected, if you’re carrying your phone or when it recognizes your face. This is a strong first approach, but as the National Science & Technology Council’s Subcommittee on Biometrics points out there can be significant margins of error when only using biometric authentication methods.

That’s where Project Abacus comes into play. Project Abacus is a service that is constantly running in the background collecting and analyzing data about everything you do to form a Trust Score. A Trust Score, is how confident it is that you are who you say you are. Project Abacus focuses on creating intelligent security that trusts and verifies your data, manages how the data is disclosed, and creates assurances that the device cannot deny whom the user is.

The team working on the Trust API is analyzing how people interact in the real world. TechCrunch journalist Sarah Perez writes about how other ATAP connected projects can introduce real change in how users interact with their apps and devices. Depending on the intended level of security, such as in banking, a unique entry PIN can also be generated along with this technology. Is it creating an invasive surveillance system that monitors data coming from all of these sensors? The Trust API can create a baseline on you, the user. Creating baselines has been the standard security approach when implementing defensive and offensive network and system intrusion detection systems. By monitoring what normal activity looks like, the system should be able to recognize anomalies and trigger a certain response.

Privacy. Perhaps, the question to ask is not whether or not to allow a system to learn who you are, but what level of exposure your data will have. Who will have the ability to harness the knowledge this system gleans. Invasive surveillance, that’s is how some, like Violet Blue, a freelance journalist views this situation. When you connect and label sensors to everything you own, what happens is a slow seemingly innocent advance on all of your intimate records then sorted, merged, analyzed, compressed, and stored.

Project Abacus plans to use all of our tracked information to create intelligent security. But with innovation comes both the risk of success and failure. Success brings a system of checks and balances that helps create stability in our fast paced technology focused societies. Failure can bring vulnerabilities, data breach, and chaos.

A project like Abacus as with any security project carries with it much responsibility. How much faith can we give a system that is suppose to trust us? Failure will no longer be “I forgot my password so I can’t sign into my email”, but “There’s an intruder in my house! And my phone won’t recognize me so I can’t call for help!”

— JR

References:

National Science & Technology Council’s Subcommittee on Biometrics.(2006) Biometrics Frequently Asked Questions. retrieved from http://biometrics.gov/Documents/FAQ.pdf

Perez, S. (May 23, 2016) Google plans to bring password-free logins to Android apps by year-end. Retrieved from http://techcrunch.com/2016/05/23/google-plans-to-bring-password-free-logins-to-android-apps-by-year-end/

Blue, V. (January 1, 2016) Google’s creepy plan to kill the password. Retrieved from http://www.engadget.com/2016/01/15/googles-creepy-plan-to-kill-the-password/