Google has made no secret of its ambitions to eradicate passwords. The search company is now taking its war on passwords a step further by rolling out an API that will allow Android apps to access login credentials, essentially eliminating the need for passwords on the device.
The project, launched as a collaboration with Dashlane and Google, is being called “Open YOLO” (You Only Login Once). Dashlane said it is “spearheading” the collaboration, although the API will become available to other password management companies. Other password managers “will contribute their unique security and software development expertise” to improve on the open API, Malaika Nicholas, community manager at the New York-based identity management company, wrote in a blog post announcing the project.
The project “absolutely has the potential to bolster Android security and simplify the user login experience,” Elad Yoran, executive chairman of KoolSpan, said in an email to SCMagazine.com. “Too many people use duplicate passwords or struggle to manage their login credentials, and password managers organize the information and guarantee that passwords are long, complex and unique.”
Password re-use has become an increasingly dangerous scenario following the discovery of LinkedIn, MySpace and Tumblr login credentials for sale on the Dark Web. Password attacks have caused a slew of sites, including Reddit and Citrix's GoToMyPC, to forcibly reset user passwords.
Automating password security “is a positive for all sides,” noted Jonathan Sander, VP at Lieberman Software, in an email to SCMagazine.com. “Users get better passwords, services get less vulnerable accounts in their system and no one needs to do the hard work by hand.”
However, some pros see a need to move away from passwords entirely, and believe the API is a move in the wrong direction. The project “does nothing to reduce the inherent risks of password managers,” John Gunn, VP with VASCO Data Security, said in an email to SCMagazine.com. He noted that newer methods, including two-factor and multi-factor authentication processes, geolocation, biometrics and OTPs, are more effective. “This project could fail simply by succeeding in prolonging the much-needed move away from 30-year-old password technology.”Indeed, users are becoming more comfortable with modern authentication methods. In a May study, 52 percent of consumers said they would prefer newer methods compared to using traditional username and password login credentials.