Google is on a quest to kill the password and it’s really no surprise. Given how many things are connected to Google accounts and services, it is in its best interest to make sure those accounts are always kept safe. Passwords have long been considered no longer sufficient for security and the tech industry has been heading towards biometrics. Towards that end, Google is now allowing Android devices to use fingerprints to sign into their Google accounts.
To be clear, this isn’t actually a new thing. The FIDO Alliance, a.k.a. Fast ID Online, has been pushing for the use biometrics as a two-factor authentication element across all devices and platforms. The focus has recently been on laptops and desktops, utilizing built-in or add-on fingerprint and iris or face scanners probably because those are the hardest devices to reach. Smartphones, in contrast, already use those elements for unlocking the phone and making online payments.
All it needs then, is for service providers to tie things together. In Google’s case, it means using FIDO2 and the relatively new WebAuthn standard to tie into the built-in fingerprint APIs on Android. This ensures that the already trusted and familiar mechanism on mobile can be used for conveniently signing into Google accounts as well as other apps and services that use Google’s single sign-in framework.
There are, however, a few caveats to this implementation. First is that Google will first roll out this new security feature to Pixel phones. The feature will eventually reach other Android phones that run on Android 7.0 Nougat or newer. It’s also dependent on Chrome, which is what Android uses internally anyway.
Google clarifies that all the authentication happens locally on the user’s device. fingerprints are never sent to Google’s servers and all that it receives is cryptographic proof that you have indeed signed in securely. Some might have reservations about that but those probably wouldn’t be using Google accounts to sign into everything anyway.