Throughout all of modern computing history, passwords have been the primary method of securing data. The problems with passwords are numerous, but things are slowly changing with biometrics, hardware security keys, and so on. Google is leveraging several new technologies to make one of its sites password-free, but only for Android users.
Google says it has automated protections that prevent unauthorized individuals from accessing user account, but no system built on passwords is perfect. You’ll never convince everyone to use strong passwords, and some of those who do will have to write them on post-it notes. For the first time, you won’t need to use a password to access your Google account data. However, that’s only true for one service and select Android phones right now.
Starting today, you can go to Google’s password manager site on your smartphone and log in with a tap. The password manager site gives you access to all the account credentials saved in Chrome and Android autofill. So, it’s a wealth of high-value data that could potentially allow an attacker to compromise many of a victim’s accounts. Instead of using a password to log in, you can use the secure unlock method on your phone — for example, your fingerprint. Tap the sensor to verify your identity, and you’re in.
Google doesn’t have fingerprint data on its servers — that stays locally on your phone. That’s also a fundamental part of the FIDO2 design spearheaded by Google and others. Google registers a platform-bound FIDO credential on your phone that serves to verify your identity not unlike a hardware security key. When you visit the Google password manager, the site uses a WebAuthn “Get” call to retrieve the stored credential. That works as a FIDO2 signature to verify your identity.
Currently, this feature only works on the aforementioned Google password manager site. You’ll also need a Pixel phone. The feature will roll out to all Android phones running version 7 (Nougat) or higher. Since this feature is plugged into the Android secure unlock feature, it should automatically work with any future secure unlock methods. For example, the advanced face unlock capability coming to the Pixel 4. Current Android phones with face unlock won’t count as a secure unlock method for the purposes of Google’s new login feature.