Google lets Android users skip the password when logging in*
It could soon become easier for Android users to securely log into Web accounts. Starting today, Google is rolling out a service that lets people on version 7 and later of Google’s mobile operating system use their device’s fingerprint or screen lock instead of a password when visiting certain Google services.
For now, the service is available only for Google’s Password Manager property, and even then it’s only when people are using select Android models. Over the next few days, the feature will be available to all Android 7 and above devices. Google has no timeline for when people will be able to use the feature when signing in to Gmail, other Google properties, or for non-Google sites.
The new sign-in method uses the industry-wide FIDO2, W3C WebAuthn, and FIDO CTAP standards jointly developed over the past few years by a long list of companies. The standards are designed to wean the world off its reliance on passwords by making it easier to use other authentication factors such as physical security keys, fingerprints, or other biometrics.
The new feature, which Google announced in a blog post published Monday morning, is one of the first times it has become possible to log into a Google property using the FIDO2 framework. Google says it marks the first time an interaction on the Web, as opposed to one inside a native mobile app, has allowed the use of a biometric to authenticate an action.
“An important benefit of using FIDO2 versus interacting with the native fingerprint APIs on Android is that these biometric capabilities are now, for the first time, available on the Web, allowing the same credentials be used by both native apps and web services,” Google Software Engineer Dongjing He and Google Product Manager Christiaan Brand wrote in Monday’s post. “This means that a user only has to register their fingerprint with a service once and then the fingerprint will work for both native application and the web service.”
People who have a device running Android version 7 or higher and have it configured to use a Google account and a “valid” screen lock can try out the new feature by doing this:
- Open the Chrome app on the Android device
- Navigate to https://passwords.google.com
- Choose a site to view or manage a saved password
- Follow the instructions to confirm that it’s you trying signing in
Google has more detailed instructions here.
Convenience as the enemy of security
Monday’s post said that fingerprints are never sent to Google servers, and instead those remain “securely stored” on devices. Per a core requirement of the FIDO2 design, only a cryptographic proof that that a fingerprint has correctly been scanned it is sent to Google’s servers.
The convenience provided by the feature, assuming it comes to more widely used properties, is great, but users should be aware that it may come at the cost of some security. While courts aren’t unanimous, they frequently grant more latitude to defendants who refuse to divulge passwords, since doing so amounts to testifying against oneself. Biometric information, by contrast, is often regarded as evidence that investigators can confiscate.
For another potential loophole, today’s blog post says Android users can use their device fingerprint or lock screen to authenticate themselves. That suggests that people have the option of using the PIN, password, or pattern that unlocks their phone to authenticate themselves to their Web account. It’s hard to see how this is any more convenient than entering a password into a browser. It’s also arguable this arrangement might degrade security since many phone users are reluctant to use long, complex passphrases to unlock their devices since it’s such a hassle to enter them so often. If a phone were ever to be lost or stolen, it might lead to a Web account being compromised.
Another wrinkle: the feature Google introduced today can’t be used on the site’s password manager if users have deployed a passphrase to sync sharing among various Chrome browsers. That means that in order to use FIDO2 authentication, users will arguably be required to turn off a protection that many consider a best practice. A Google spokesman said use of a sync passphrase makes passwords invisible to Google. In that case, FIDO2 authentication works only when users have an application on the client side to decrypt the passwords, the spokesman said, without specifying what such client-side applications are.
Monday’s rollout of the new authentication method comes after years of pronouncements that passwords are dead. The limited availability of the feature—to a single Google property and then only to people using Android—underscores just how exaggerated those reports of the password’s demise are. Still, it demonstrates limited progress, and that’s better than nothing.
