Google to Android users: No passwords, you get fingerprint login to some sites
Goodbye passwords: Android is now FIDO2 certified
FIDO2 certification is paving the way for passwordless mobile security. Read more: https://zd.net/2VoiT0R
Just like Microsoft, Google is adopting new standards to begin letting users log in to websites using a phone’s fingerprint sensor, rather than a password.
The company has announced a key step in that direction by enabling fingerprint-based verification when visiting some Google services on one of its Pixel phones. It’s rolling out the feature via a Google Play Services update to all Android 7 and above devices in the next few days.
The new capability follows Google’s announcement in February that Android 7 and above were now certified under the FIDO2 standard which, along with companion standard WebAuthn, should reduce users’ reliance on passwords.
Google’s Android update is the start of bringing a no-password experience to over a billion Android users, or about half the total Android user base.
The combined standards could help stem some of the downsides of familiar login processes that require a password. Many people tend to create simple passwords so they’re memorable, but that also leaves them vulnerable to cracking when passwords leak.
To use the new ‘local user verification’ for Google Accounts, users will need to be running Android 7 or later, and a personal Google Account must be added to the Android device with a screen lock setup.
Using Chrome on Android, users can test the feature on Google’s password manager site, https://passwords.google.com, which contains a list of services and credentials. Individuals are then asked to verify it’s them by scanning their fingerprint.
Google makes an important distinction between local user verification and its two-factor authentication for providing additional protection to accounts against phishing attacks. Both security keys – like its Titan keys and those from Yubico – and local user verification do use FIDO2 standards.
Google says users shouldn’t be worried about their fingerprints being sent to its servers because the fingerprint is actually registered and stored on the device. After that, a cryptographic proof is sent to Google’s servers.
Once Google has credentials for a specific Android device, users can log in with their fingerprint to a compatible service.
“As we continue to embrace the FIDO2 standard, you will start seeing more places where local alternatives to passwords are accepted as an authentication mechanism for Google and Google Cloud services.”