Google Testing New Password-Free Login System

John Lister's picture

Google is testing a login method that doesn't require a password. The problem is that the method doesn't necessarily add any convenience and isn't as secure as it could be.

Reports of the new method have come from a user at the discussion site Reddit, who was invited to test the new system. As part of the test, the user must have a smartphone registered. (Source: reddit.com)

The user posted screenshots which show the normal login screen but only asking for an email address (the Google equivalent of a user name) and not for a password.

Code Sent To Mobile Screen

The screenshots show that the user is then shown a message on their computer screen with a two-digit number. At the same time they get a notification on their mobile phone. Tapping this notification brings up a question asking if they are trying to log in to their account on a computer (which means they'll know if somebody is trying to hack their account).

If the user answers yes, they'll be asked to type the number from their computer screen on to their phone. Doing so will mean they are automatically logged in on the computer.

The idea of this somewhat convoluted system seems to be to make it possible to log in to Google without remembering a password, but the added steps may outweigh this convenience.

New Method Is Not Two-Factor Authentication

That said, the new system does not maximize security. It appears to work in a similar way to two-factor authentication, which is already available on Google, but actually falls a step short. Two factor means having two different forms of security check, usually something only you know, and something you have.

In the normal Google setup, this means knowing your Google password and having a mobile device. With Google's two-factor authentication you still have to login as normal (with your password), then go through an extra step with a code being sent to a phone.

With the new system being tested, the only detail you have to provide is the email address for the account, which is not secret. With this new system, it becomes much easier to hack a Google account. All you need is to know somebody's email address and have access to their phone.

To mitigate this, Google plans to only allow it to be used if the phone itself has a security measure such as a passcode. The theory is that its much easier for the user to remember this than their Google password, simply because of how many times they have to type it in each day.

Google says that if and when this feature is rolled out, users will still be able to login with their normal password. They'll also be able to remotely block access from their phone if it is lost or stolen. (Source: techcrunch.com)

What's Your Opinion?

Does this new system sound like an improvement in convenience or security? Would you use it if available? Do you take particular security measures with your Google password given it can control access to so much personal information?

Rate this article: 
Average: 4.3 (4 votes)

Comments

Dennis Faas's picture

My thoughts on this are that passwords are inherently bad, but only if used inappropriately. For example, if you use the same simple password on every website, then you are at major risk of being hacked.

In that case, using a cell phone with a cell phone login, GPS, and pass code to access a google login makes much more sense. That is effectively 3 layers of protection right there.

If someone attempts to hack your account and they can't prove they are in the same physical location as you normally are, then Google would be able to detect that. Since most attacks happen online from a remote location (other than where you are located), this is what Google is attempting to protect against. So this all makes sense to me, though 2 factor authentication is better.