Android Users Can Now Log in to Google Services Using Fingerprint


If you're using Chrome on Android, you can now sign-in to your Google account and some of the other Google services by simply using your fingerprint, instead of typing in your password every time.

Google is rolling out a new feature, called "

local user verification

," that allows you to log in to both native applications and web services by registering your fingerprint or any other method you've set up to unlock your Android device, including pins, pattern or password.

The newly introduced mechanism, which has also been named "verify it's you," takes advantage of

Android's built-in FIDO2

certified security key feature that Google rolled out earlier this year to all devices running Android version 7.0 Nougat or later.

Besides FIDO2 protocol, the feature also relies on W3C WebAuthn (Web Authentication API) and FIDO Client to Authenticator Protocol (CTAP), which are designed to provide simpler and more secure authentication mechanism that sites can use for secure web-based logins.

It should be noted that your fingerprint is never sent to Google servers; instead, the design works by only sharing a cryptographic proof that you've correctly authenticated using the registered platform-bound FIDO credential.

"Now, when the user visits a compatible service, such as passwords.google.com, we issue a WebAuthn 'Get' call, passing in the credentialId that we got when creating the credential. The result is a valid FIDO2 signature," Google explains in a post published today.

For now, Google has added this functionality to "

passwords.google.com

," an online platform where you can view and edit your saved passwords.

Users with Android 7.0 (Nougat) or later, can set it up if they have a valid screen lock enabled and Google account added to their devices.

Google is working on expanding and adding this functionality to more Google and Google Cloud services in the near future.

The feature would be useful for people who follow basic security practices of creating strong and unique passwords for each website but face trouble in remembering them.

Besides this, you are also highly recommended to enable two-step verification, including

Titan Security Keys

and Android phone's

built-in security key

, for your online accounts that would prevent hackers from gaining access to your accounts even when they have your password.

Google has already started rolling out this new feature for some Android phones, and will make it available for all Android smartphones running Android 7 or later "over the next few days."



from The Hacker News https://ift.tt/33sxtZT