Passwords, as a security login credential, have been falling out fashion recently as we’ve seen a number of key password policies change. We saw Microsoft realize that constantly pushing users to change their password every few months wasn’t necessarily the most secure way of doing things, before then announcing last month that Windows 10 users can make their devices password free, should they wish.
It now looks like another massive player on the tech scene, Google, is about to do something similar that could potentially see over a billion users turn their backs on passwords.
Google is working on new security standards for Android that will enable users to log in to websites using their phone’s fingerprint sensor instead of a password
As more and more Android devices are being built with fingerprint sensors it makes sense for Google to pivot Android towards using them more often. Passwords have long been the go-to security credential, but this is because we’ve had personal computing devices for decades now while biometric security measures have been reserved for Hollywood depictions of nuclear bunkers or galactic spaceships.
Why are passwords a problem?
Passwords have inherent security flaws built into them. The biggest such flaw is human error. We’re prone to choose a simple password that is easy to remember but that, unfortunately, is also easy to crack. Microsoft recently changed this policy but until recently we’ve often had to update our passwords every six months. This then leads many of us to write down our new passwords on post-it notes and stick them somewhere on our desk.
It isn’t all human error though. Passwords need to be stored on servers, which can then be breached or hacked. We’ve seen a multitude of such breaches in recent years, from the ridiculously scaled Yahoo data breach to the recent story about Google leaving certain user passwords unprotected for over 14 years.
Password managers like the impressive free offering Last Pass, offer a neat solution to the password problem. They store your passwords under rigid encryption and on secure servers and then generate incredibly secure passwords for all the different websites you need to log into.
What’s more, even the free version of Last Pass offers fingerprint authentication across your phone’s apps and on websites across both your mobile and on desktop.
How does the new Google offering all work?
Google is trying to cut out the middleman on Android devices, however, by enabling fingerprint verification for Android phones running version 7, Nougat, and above. If you have a phone running Android 7 or above, the new fingerprint authentication feature should hit your device sometime in the next few days. This will open up fingerprint authentication across key Google products and sites.
The new local biometric authentication update follows an announcement Google made at the Mobile World Conference in February. It was then that Google told the world that all Android 7 phones and above are FIDO2 compliant, which means they can securely unlock sites and apps using either hardware security keys or locally stored information like biometrics. This is the same principle that makes your four-figure Windows 10 pin more secure than your standard multi-digit, multi-character password.
In the Google blog post announcing how FIDO2 Android capability works, it says, “your fingerprint is never sent to Google’s servers – it is securely stored on your device, and only a cryptographic proof that you’ve correctly scanned it is sent to Google’s servers.” This basic, yet much more secure, locally stored security protocol forms a key tenet of the FIDO2 design.
When the new feature lands on your Android device, you’ll be able to test it on Google Chrome by going to Google’s password manager site. There, you’ll find a list of all your web services and security credentials. You’ll then be able to verify your identity using your screen lock security ID, which should be your fingerprint authentication. Go check it out and let us know what you think.