Google Offers Password-Free Android Access to its Services
Google took another step toward ditching passwords as a login mechanism this week by announcing support for password-free access to some of its own services from Android phones. In a blog post on Monday, it demonstrated how users could access its cloud-based password manager using the new feature.
Users will be able to verify their identities by scanning their fingerprints on suitably equipped Android devices. While users have been able to access their phones using their fingerprints in the past, the new feature allows them to access back-end Google services as well.
The underlying technology uses standards underpinning FIDO2, which is a password-free log-in technology created by the FIDO Alliance. The underlying technologies, FIDO Client to Authenticator Protocol (CTAP) and W3C's WebAuthn, work together to authenticate the user on the phone and on the back-end site. The user creates a digital token by authenticating themselves on the phone, which CTAP then uses it to authenticate with the browser. WebAuthn then sends a digital token to the back-end service, logging the user in.
To use the service, the phone must be running Android 7 (Nougat) or later and set up with a personal Google account. The device must also be running a valid screen lock.
Google's FIDO2 support also lets users log into services using a hardware key, such as its own Titan Bluetooth-enabled device.
This latest announcement marks another step in Google's support of FIDO2. In February, it adopted the standard for Android apps.
Google rolled out the feature on Pixel devices on Monday and said that other Android devices would get the feature in the coming days.
Other companies have also made strides toward password-free access. In May, Microsoft achieved FIDO2 certification for Windows Hello, its biometric-capable login system included in Windows 10. This enables users to log into their Microsoft accounts using a hardware security key. The company also allowed Firefox users to log into their Microsoft accounts using FIDO2, with support for Google's Chrome to follow.
Source: Information Security Magazine