Companies like Microsoft have been telling us that passwords are dangerous and insecure for years, and leading companies in the tech industry are finally doing something about it. The latest is Google, which is making it possible for Android users to login to Google services using your fingerprint instead of a password -- that is as long as you're running Android 7 or later, which should be most of you reading this.
Google is using a combination of FIDO2, FIDO CTAP, and W3C WebAuthn standards to enable this functionality on Android devices. So, while this kind of password-less login functionality has been available for quite some time in native mobile apps and services (like authenticating a purchase via the Play Store, for example), this is the first that the capability has been extended to an internet browser -- in this case, Google Chrome.
For now, this biometric authentication using the web is only available with the Google's password manager. The company provides the following steps for testing it out on your Android 7.0+ device:
- Open the Chrome app on your Android device
- Navigate to https://passwords.google.com
- Choose a site to view or manage a saved password
- Follow the instructions to confirm that it’s you trying signing in
Using biometric data to login to sites and services -- rather than passwords -- is a much more secure way of authenticating a user account as credentials are stored on-device in a secure enclave. Not only do you not have to worry about using passwords or entering them online -- where they could become vulnerable to phishing attacks -- but it could help limit or mitigate altogether a number of wide-scale security breaches that seem to be affecting various industries around the globe.
"For the first time, available on the web, allowing the same credentials be used by both native apps and web services," write Google's Dongjing He and Christian Brand. "This means that a user only has to register their fingerprint with a service once and then the fingerprint will work for both the native application and the web service."
While this new FIDO2-based authentication is currently only available with the password manager, the company is working to make it available to additional Google and Google Cloud services in the near future.