Google's Abacus API adds security by subtracting passwords

The API, which shifts the authentication burden from users to their Android devices, will be available to developers by the end of the year

Google's Abacus API adds security by subtracting passwords
Credit: Thinkstock

Users are notoriously bad at creating strong passwords, so Google's Project Abacus proposes shifting the authentication burden away from users and onto their Android devices.

This isn't merely a pie-in-the-sky infosec team notion, either, as the company plans to make the technology available to all Android developers before the end of the year.

Abacus runs in the background and monitors the user's activity on the device, such as search content, current location, and typing patterns. These elements are combined with biometric data, such as facial recognition, voice speed, and fingerprints, to derive a cumulative Trust Score to unlock devices or sign into applications.

The plan is to make authentication even simpler and more efficient than existing multifactor authentication schemes because the user doesn't have to do anything differently or learn to use something new.

Many authentication technologies already rely on the user having the device with them. Abacus extends the idea so that the user doesn't have to prove identity. Instead, the smartphone knows the user and knows whether or not that user has access to the specific application.

Abacus has been in the works for the past year and is currently in trials at 33 universities. Google plans to release the API for Abacus to select financial institutions in June and make it available to all Android developers by the end of 2016, Dan Kaufman, the lead of Google's Advanced Technologies and Projects division, said in a talk at Google I/O last week.

Many information security folks would love to see passwords disappear, and biometrics is the most popular approach at the moment. Just as the fingerprint lock on the iPhone and Android devices has made PIN codes/pattern locks/passphrases unnecessary, developers see the potential of using facial recognition and speech patterns to authenticate users trying to access their applications. Google already offers several different schemes, including sending one-time codes to mobile phones whenever a user tries to log in from an unknown device and unlocking the device through facial recognition.

There are some concerns about overly relying on biometrics, such as situations where the user has an injury and can't easily swipe the fingerprint sensor, or has a bad enough cold that the voice recognition fails. Abacus doesn't rely on biometrics only to calculate the Trust Score, and more importantl the Trust Score merely indicates how confident the system is that the user is who the user claims to be. The decision on whether or not to grant access stays with the developer.

In practice, developers can set a certain threshold for the application. If the user's Trust Score is not high enough (maybe the user has that aforementioned cold), then the application can fall back to asking the user to enter a password or try another method of verification. Some developers may decide to require a lower score for their application than others.

The fact that the system monitors what we do or what we type while surfing online seems a little creepy, and when paired with Google's insatiable appetite for all kinds of user data, the endeavor feels overly intrusive. The question is how much of the information is actually stored and whether the company plans to mine Abacus data for its other analytics projects. If typing patterns and search terms aren't actually stored but used as part of calculations, for example, then the monitoring doesn't feel so much like surveillance.

Trust Score may gain traction precisely because it seems to make authentication less intrusive. Users don't enable two-factor authentication for myriad reasons, including the fact that it slows down the log in process, it's awkward, or they don't want to share their mobile phone numbers. The question is whether users would trust their smartphones to know who they are. Considering how much of their lives users already have on their smartphones, it's not so far-fetched that they would be willing to give their devices that much authority.