Google's plot to kill the password is moving forward. The company is testing a method for users to log into their Google accounts using only a mobile phone and without having to type in a memorized string of characters. Android owner Rohit Paul, who posted about the test on Reddit yesterday, was invited to try it out and provided screenshots of the process.
Once a user authorizes their mobile device, they're able to input their account credentials on any computer and receive a notification on their smartphone. The device must have some type of screen lock security feature, as unlocking your phone is a prerequisite to approving or denying access to the account with this method. You're still given the option to log in with your regular password if you so choose. Google's email to participating users explains how you can deactivate a lost device, as well as add a new one in the event you upgrade your handset.
"We've invited a small group of users to help test a new way to sign-in to their Google accounts, no password required," a Google spokesperson told The Verge in a statement. "'Pizza,' 'password,' and '123456' — your days are numbered."
Courtesy of Rohit Paul
Beyond alleviating concerns over commonly used passwords, Google says the tool is another defense against hackers that rely on passwords to conduct phishing operations. A phishing attack tricks users into entering sensitive information by replacing legitimate login windows with disguised versions designed to capture and store the data.
This test joins a number of other Google initiatives aimed at improving security. Google has one of the most robust two-factor authentication services of any tech giant, meaning millions of Google account owners now sign in on the web using a code sent to them via text message. The company also has its Authenticator app, which generates a unique code on your mobile device to confirm your identity when signing into Google and third-party web services on a computer. In April, the company released the Password Alert Chrome extension designed to notify users when they may have input their password into a non-Google website.
Google is following in the footsteps of Yahoo
In the case of the password-killing tool, Google is borrowing from Yahoo, which in October announced a security feature called Yahoo Account Key. Arriving as part of the Yahoo Mail redesign, Account Key links your mobile device with your Yahoo account and a notification is sent every time you try and log in on another device. Yahoo had previously transitioned account passwords to single-use SMS codes, and with Account Key it's trying to eliminate them for good. Now Google is following suit, albeit with a smaller test program for the time being.