At a keynote during today’s Google I/O conference, the head of Google’s Advanced Technologies and Projects Group showed off a vision of a more secure mobile future. Step one: Kill the password. Step two: Turn your smartphone’s MicroSD card into a digital Fort Knox.
It might be some time before we see either of the technologies ATAP’s Regina Dugan introduced today in our phones; her job, after all, is to dream up the future, not stock Best Buy’s shelves right now. But both projects are worth paying attention to. Either could inextricably change the way we interact with---and more importantly, trust---our devices.
Google’s just one of several companies trying to move past the increasingly archaic-feeling alphanumeric combinations (or series of swipes) that protect everything from our smartphones to our online bank accounts. Microsoft will lean on facial and fingerprint recognition in Windows 10 with Windows Hello, while the FIDO (Fast Identity Online) Alliance last week granted certification to 31 post-password authentication products.
It’s a crowded field. Google ATAP’s solution still manages to stand out, though, with its claim of 10 times the security of “the best fingerprint sensors” available today. The way it achieves that security happens to be pretty eye-catching as well.
“What if instead of a single sensor, we could use a combination of sensors that would allow you and the interactions with the device to become your authentication,” Rugan posited in her address. “Your keystroke patterns, not what you type but how you type. Your patterns of speaking, not what you say but how you say it.”
Google’s proposed method of authentication, in other words, doesn’t rely on much more than using your phone as you normally would. There’s nothing to remember, no string of characters or patterns. There’s just...you. And it wouldn’t just unlock your phone; Rugan hopes someday to provide varying levels of security, depending on what level of authentication a particular app requires. The system would simply weigh evaluators like your location, facial recognition, how you’re moving, how you sound, how you’re typing, and more.
If all of this sounds like an opportunity for creeptastic data-collection, well, it certainly could be, but Rugan specifically said that the processing all occurs locally on your device.
It’s also not as far-fetched as it sounds; in fact, says Rugan, it’s already working. By collecting more than 40TB of data from 1500 donors, ATAP’s team of 25 researchers were able to get results, though how far those results are from being productized is still unclear. Whenever it does find its way to our phones, though, it could come in the form of a simple software update.
Google ATAP has a hardware security solution to share, as well. Rugan also showed off Project Vault, a microSD card imbued with an array of high-level security features to keep your information and communications safe.
Vault can really more accurately be described as a microSD-shaped secured-computing environment; it has an ARM processor on board, an NFC chip, an antenna, a secure operating system, a flotilla of cryptographic services, and 4GB of storage. It can protect data that’s just sitting on your phone, or secure end-to-end communications. And its versatility doesn’t end there.
“It can be used for mobile, to desktop, to the Internet of Things,” explained Rugan, noting that Vault works equally well with Android, Windows, OS X, and Linux. That makes sense; systems see Vault as just another storage device, with one read file and one write file.
And while it can’t lock down your entire phone, it’s there to make sure your most critical security needs are met. These days, there are quite a few of them.
“As our smartphones have become more capable, the code that runs them does too,” said Rugan. “Large code bases made by humans have errors. Errors may be exploited, to place some of our most important information at risk.” Vault, presumably, saves us from the fallibility of code.
Vault will be headed to enterprise users first, but Rugan indicated that a consumer version wouldn’t be far behind. It’s closer to reality than ATAP’s proposed password overhaul; there are already 500 units up and running at Google.
Google ATAP had flashier demonstrations on display today; turning clothes into touchscreens and reinventing gestures rightly generates more drool. But a smarter way to protect our phones, from both intruders and our own dumb password-forgetting selves, is every bit as welcome. And at the very least, it's more likely to make the journey from Google's future-lab to the eagerly awaiting present.
