Google is making it easier for Android users to authenticate themselves through the mobile web by allowing them to verify their identity using only their fingerprint.
A leading cause of data breaches is compromised passwords, whether through poor password hygiene or more sophisticated attacks, which is why technology companies and online service providers are exploring alternative security authentication methods. To help this effort, the World Wide Web Consortium (W3C) recently approved WebAuthn — an official web standard Web authentication API — three years after it was first announced by the W3C and FIDO Alliance.
WebAuthn, which is part of the FIDO2 authentication specification and is supported by a number of big-name W3C contributors, including Amazon, Apple, Alibaba, Mozilla, PayPal, Yubico, and Google, is useful in a number of scenarios across devices and platforms. First, it enables password-free logins on mobile web services, which means a user who logs into a specific website on their phone may be prompted to register their device with that website, after which they can use a previously configured local authentication method, such as a screenlock PIN code or a biometric mechanism. The ultimate goal is to make online accounts more secure while confirming a user’s identify with as few obstacles as possible. It also means that a user only has to register their biometric credentials with an online service once for it to work across both web and native apps.
From today, Google is rolling out password-free authentication for some of its services on Android devices, leveraging the FIDO2 standards, FIDO CTAP, and WebAuthn, which is designed to “…provide simpler and more secure authentication experiences,” according to a blog post from the company. In practice, this means you can now use your fingerprint or device’s screen lock code to access certain Google services through the web.
To kick things off, you will be able to access all of your saved passwords through passwords.google.com without first having to enter your Google Account password. The company hasn’t confirmed which other Google services will support this in the future, but a spokesperson told VentureBeat that it will be incorporated more broadly into Google sign-in over time.
The internet giant is quick to stress that it doesn’t receive a copy of users’ fingerprints — everything is done locally on the device. “Only a cryptographic proof that you’ve correctly scanned it is sent to Google’s servers,” the company wrote. “This is a fundamental part of the FIDO2 design.”
The new authentication feature will land on all devices running Android Nougat (7.0) and above in the coming days. To leverage the new feature, users will be required to log into their personal Google Account on the device and to set up a screenlock code, and it’s worth noting here that it will only work with Google’s own Chrome browser at first.
Google has been stepping up its user security efforts across the board, and last year the company launched its own own physical security key, called Titan, designed to bolster Google Accounts with stronger two-step verification (2SV). This can actually be used in concert with local biometrics-based authentication — security keys can be used to ensure that only the legitimate owner accesses an account on a new device, with fingerprints then used to reauthenticate a user who has already signed into their Google Account.
It’s also worth noting here that this inaugural implementation is likely to kickstart a broader push onto other FIDO2 compatible devices, with a couple of upcoming Chromebooks also sporting fingerprint readers.
“This new capability marks another step on our journey to making authentication safer and easier for everyone to use,” Google said. “As we continue to embrace the FIDO2 standard, you will start seeing more places where local alternatives to passwords are accepted as an authentication mechanism for Google and Google Cloud services.”