If you find it annoying to create a good password and type in every time you want to log in to your Google account, then you may be in luck. Emil Protalinski reports for VentureBeat that Google is testing a method to let you sign in to your account without a password, just your phone.
Protalinski characterizes the idea as the latest move in Google’s battle against poor passwords. Poor passwords, if you aren’t familiar with the term, refers simply to the bad passwords that people create when they really don’t want to bother with creating and remembering a secure password. That includes “password” or “1234,” or even the relatively secure password that you use with all of your online accounts, instead of worrying that you’ll forget the new ones you created for each different website.
Surprisingly, Google has envisioned a situation in which the solution to all of this is to ditch the password altogether. Google is testing a new account option that would enable you to log in using your phone instead of by entering a password. The feature would use your phone to authenticate your identity. To do so, your phone would pop up a notification enabling to allow or deny access to your account.
The fact that Google is testing the feature was first publicized by a Reddit user named Rohit Paul, who was invited to test the new functionality on a personal Google account. A Google spokesperson told VentureBeat, “We’ve invited a small group of users to help test a new way to sign-in to their Google accounts, no password required.”
The spokesperson added, “‘Pizza’, ‘password’, and ‘123456’ — your days are numbered,” giving examples of account passwords and security question answers that are far too common, especially in an era when online accounts hold sensitive personal information of all types. (Think about it: your Google account, from the documents in your Google Drive to the archives of messages in your Gmail account, contain information from your address to your birth date.)
Paul explained how the trial version of the functionality works. First, you “authorize your phone to allow you to log into your account.” Then, the next time that you’re on, say, your laptop and want to log in to your Google account, you’ll type in your email. “Then you get a message on your phone to allow the login. If you hit yes, the computer logs into your Google account without a password.”
Google says that the test version of the feature works on both Android and iOS devices. And the company clarifies that you can still log in to your account by typing in your password, an option that will remain available in case you need it. But a major advantage to signing in with your phone is its ability to protect against phishing attacks, wherein a malicious party tries to gain access to sensitive information, like your usernames, passwords, or credit card information, by pretending to be a trustworthy company or service. Because your phone plays a role in authenticating you, phishing attempts and exploits like keyloggers are suddenly rendered useless.
The email inviting Paul to test the feature explains that after a user sets up the option, “you won’t need your password to sign in, but you can always use it if you want to.” And “as always, if we notice anything unusual about your sign-in you may be asked to complete an extra step or two to prove it’s really you.” If your phone’s battery dies or if your phone isn’t around when you want to log in to your Google account, you can still use your password by clicking the option to “use your password instead” at the bottom of the page.
If you lose your phone, you can protect yourself by logging in to your account on another device, navigating to your account settings, and then revoking account access from the lost device. Similarly, to use a new phone, you’ll need to go to My Account, click “use your phone to sign in,” and then click “Edit” to add a different phone.
Protalinski notes that this trial isn’t Google’s only attempt to fight phishing. Earlier in 2015, the company launched a Chrome extension called Password Alert, which will warn you if you navigate to a website that attempts to imitate accounts.google.com in order to get you to give up your login credentials.