By Robert McMillan 

Rohit Paul has seen the future of digital security, and it is free of pesky passwords. Recently, he needed to use a laptop to edit a vacation photo stored in Google Photos. He grabbed his wife's computer. But the 27-year-old engineer didn't type in Google credentials. Instead, he tapped a button on the screen of his Nexus 6P smartphone.

"It makes life easier," Mr. Paul said. "No need to worry about typing a complicated password."

Technologists aiming to strike a balance between security and ease of use are converging on the smartphone. The latest developments from Google parent Alphabet Inc. and from Apple Inc. go beyond using special programs designed to manage all of your passwords, or entering a code sent via text message. Instead, they treat a handset as a replacement for passwords and other identification.

Mr. Paul is part of Alphabet's quiet beta test program for "Sign in with your phone," Google's latest effort to let Android users log into its services--on any device--without a password. And in the future, Google engineers aim to give Android phones the ability to recognize individual users by analyzing patterns of speech, typing and other behavior.

Apple, for its part, has outfitted its latest iPhones with special high-security chips that let programmers develop apps to let users log in by touching their finger to the phone instead of entering strings of characters. The iPhone's built-in Touch ID fingerprint reader has become a popular way to unlock the phone, but app developers are starting to use it with other onboard security features to eliminate passwords entirely.

Mobile phones also serve as personal identification in credit-card alternatives such as the Apple Pay and Android Pay services. And banks are beginning to experiment with using phones to replace ATM cards. Citigroup Inc. and Wells Fargo & Co. are experimenting with systems that let people withdraw cash by using a special code displayed on a phone's screen.

Passwords are a notorious bane of digital life. Users forget them, make them easy to guess, or rely on the same one to gain access multiple online services, all of which become vulnerable if the password is exposed. Network administrators hate them because they don't keep hackers at bay and resetting them is costly. Managers hate them because they waste a tremendous amount of time. The technology research firm Gartner Inc. estimates that password resets take up between 20% and 30% of all help-desk support calls in corporations.

Microsoft Corp. researcher Cormac Herley estimated in 2014 that if the Internet's two billion users spent five seconds a day typing passwords, the effort would amount to 1,389 man years daily. From "a cost-benefit standpoint users are rational to reject much security advice: the burden imposed is simply too great for the benefit received," he wrote in a research paper. For instance, one problem is that users are told not to reuse passwords, and to come up with complex, random sets of characters that are difficult to memorize.

"We know that the most popular passwords are all pretty much garbage," said Matthew Green, an assistant professor of computer science at Johns Hopkins University. "People tend to pick the less secure passwords in the largest numbers, so passwords are a bad idea from a security point of view."

However, Mr. Green said he doesn't think that the password will be completely replaced by mobile-phone gizmos any time soon. "I think these things are neat ideas, but they're too flaky right now for us to really rely on them. There are too many false negatives and false positives [regarding authentication]."

The password has been an endangered species for some time. Most mobile apps ask for one the first time they run on a new phone and leave users alone thereafter. But the pain persists. Buy a new phone or switch computers, and you need to remember passwords--often a lot of them.

Smartphones make a handy substitute. Like passwords, individual mobile devices are ubiquitous, unique and intensely personal. Unlike passwords, they're difficult to duplicate--and hackers can't sell copies of them to all comers in underground forums.

Google's "sign in with your phone" feature is the latest in a series of Google experiments to shed passwords. Regina Dugan, chief of the company's Advanced Technologies and Projects group, in May demonstrated a system that allowed a phone to know its rightful user by analyzing data from the phone's sensors.

"This next frontier of authentication moves the burdens of PINs [Personal Identification Numbers] and passwords from the user to the device itself," Ms. Dugan said during a speech at Google's annual software developer conference last May.

Peiter "Mudge" Zatko, a network security expert who contributed to other Google efforts to supersede the password before leaving last year to found a security consultancy, believes that Apple, and not his former employer, is best positioned to pull this off.

Apple's emphasis on hardware design and focus on the high-end market opened the door to two key pieces of technology that could help the company liberate users from the password, he said.

The company in 2012 purchased AuthenTec Inc., a maker of fingerprint readers, for $355 million. That technology forms the basis of the iPhone's Touch ID technology, which lets users log into their phones with a fingerprint rather than a password.

One immediate result was greater security. Two years ago, about 50% of iPhone users didn't lock their handsets. Today, 90% of iPhone users lock their devices with either a passcode or fingerprint scan. Of the top 2,000 free iPhone apps in the U.S., 7.5% use Touch ID, according research done for The Wall Street Journal by SourceDNA, Inc. an app analytics service. They include apps from Evernote Inc. and the Bank of America Inc.

New York security consultancy Trail of Bits Inc. this week will unveil a program, Tidas, that allows developers to access the iPhone in an even more secure fashion. Trail of Bits built its software after Apple discussed its special security chip, known as the Secure Enclave, at a June 2015 conference but didn't provide technical details on how to use it directly.

Trail of Bits CEO Dan Guido believes that the enhanced security provided by Apple's technology will further endanger the password. "People will absolutely use fewer passwords if this kind of technology achieves widespread usage," he said.

Nonetheless, Apple vice president of iPhone and iOS product marketing Greg Joswiak doesn't think that passwords will ever fully be eliminated. "I think there is still a purpose to having them, including using them to encrypt everything on your device," he said. "What we want to do is create an easy and secure experience with Touch ID and make the use of passwords as infrequent as possible."

Mr. Paul, who uses Google for email, search, photo storage, and driving directions, is still holding on to is password just in case. "When all else fails, go with the password as a fallback," he said.

Write to Robert McMillan at Robert.Mcmillan@wsj.com

 

(END) Dow Jones Newswires

February 08, 2016 19:42 ET (00:42 GMT)

Copyright (c) 2016 Dow Jones & Company, Inc.
Alphabet (NASDAQ:GOOG)
Historical Stock Chart
From Feb 2024 to Mar 2024 Click Here for more Alphabet Charts.
Alphabet (NASDAQ:GOOG)
Historical Stock Chart
From Mar 2023 to Mar 2024 Click Here for more Alphabet Charts.