Google now lets you sign in to some of its services on Chrome on Android using just your fingerprint, rather than having to type in a password.
The feature is available starting today for some Android phones, and it will be rolling out to all phones running Android 7 or later “over the next few days.”
According to a Google help page, the feature also allows you to log in using whichever method you have set up to unlock your phone, which can include pins and pattern unlock.
Android phones already let you use your fingerprint to authenticate Google Pay purchases and log in to apps. What’s new here is being able to use that same fingerprint to log in to one of Google’s web services within the Chrome browser. At the moment, you can use the functionality to view and edit the passwords that Google has saved for you at passwords.google.com, but Google says it plans to add the functionality to more Google and Google Cloud services in the future.
Not having to remember a password means this is a much more convenient way to log in, and it’s also much more secure. Passwords have all kinds of vulnerabilities, even before you consider the fact that a lot of people reuse them across multiple sites. However, with this method, credentials are stored locally on your device so they can’t be intercepted or hacked off a company’s servers, and they’re also impossible to “phish” by tricking you into visiting a fake website. Using a password manager along with two-factor authentication helps mitigate a lot of these vulnerabilities, but the new method Google is using removes them entirely.
If you have a compatible Android handset, then you can try the functionality out now by heading over to passwords.google.com using the Chrome app on your phone. This service lets you manage all of the passwords that Chrome has saved for you. If you tap on any one of these saved passwords, then Google will prompt you to “Verify that it’s you,” at which point, you can authenticate using your fingerprint or any other method you’d usually use to unlock your phone. You’ll need to already have your personal Google Account added to your Android device for this to work.
Google’s new functionality is built using FIDO2 and the WebAuthn protocol, an open standard that sites can use to secure web-based logins. FIDO2 is much more secure than regular passwords. All Android devices running version 7.0 or later are FIDO2-certified, and Google lets you use an Android phone as a 2FA security key to log in to your account using the same technology.
Source: The Verge