Android gained FIDO2 certification to enable password-free login for compatible apps and services earlier this year, following Google Chrome's newly added compliance for the WebAuthn API. But, what was the objective? Well, the purpose was to let users sign in to a Web service by using the fingerprint sensor or local password of their Android phone, and this is now finally a reality. Google has started rolling out support for FIDO2-based local user verification for Google Accounts, which means users can now sign in to a web service by using the fingerprint sensor or the PIN of their supported phone, instead of remembering a complex password.
Google has announced via a blog post that users can now verify their identity for Google services by using the fingerprint sensor, PIN or pattern lock of their supported Android smartphones. As of now, the feature is available only on Pixel smartphones and will soon be rolled out to more Android phones running version 7.0 (Nougat) or a higher build of Google's operating system. Currently, Pixel phone users can visit Google's password manager dashboard and tap on any of the websites or services listed on the page to check the new interface.
On the authentication page, users will see the option to either use their fingerprint sensor or enter the PIN/pattern lock of their Android phone for dentity verification. However, users must have their linked Google account already signed in on their compatible Pixel phones. Once the login is verified, users can access the password reset page of the selected web service. We tried this streamlined authentication approach on the first-gen Pixel phone running stable Android Pie and the Pixel 3 running Android Q Beta 6, and found it to be working.
This approach is more secure, as it relies on the local authentication protocol such as fingerprint sensor or PIN to verify the user's identity and just relays a yes/no response to the web service's server, instead of sending over the password itself, thus reducing the risk of interception by malicious parties.
The local verification based on biometrics employs the FIDO2 standards - which was made official for Android earlier this year - and will be rolled out for more web services and devices soon. The whole authentication system has been made possible by the adoption of WebAuthn APIs, that are aimed at reducing the need for a password for logins and eventually protecting users against phishing.