Google account holders will soon be able to use their fingerprints to authenticate their accounts and log into their Android web-connected apps. The Android OS maker has now started to push a simplified authentication technique to ever-more services that once mandated a username and password for secure access. The push for fingerprint authentication comes after there were several cases of successful hacks owing to poor choice of passwords.
While trying to come up with alternative security authentication methods, companies and online service providers appear to have settled for biometric or more specifically, fingerprint authentication. PIN, Fingerprint and even Face ID are increasingly common methods smartphone users employ to gain access to their devices. Now web apps and other online platforms too will allow similar fingerprint authentication techniques. In addition to simplifying and quickening the login, the newly accepted methodology is also expected to boost security owing to the uniqueness of the biometric authentication system which cannot be easily hacked or duplicated.
World Wide Web Consortium (W3C) Approves WebAuthn API:
The World Wide Web Consortium (W3C) and Fast Identity Online or FIDO Alliance had together attempted to work out ways to boost online security. The group, which consists of several tech companies, has been rightly concerned about extremely poor password hygiene that internet users follow. Common mistakes such as using the same passwords on multiple platforms, using simple passwords, not changing passwords, not using two-factor authentication, and other bad habits have allowed hackers to penetrate the security of several online platforms.
To combat the rising menace of cracking passwords, the WebAuthn API was created. Companies like Amazon, Apple, Alibaba, Mozilla, PayPal, Yubico, and Google have supported WebAuthn, which is part of the FIDO2 authentication specification. The API essentially enables password-free logins on mobile web services. To make this a reality, a user who logs in to a specific website on their phone is prompted to register their device with that website. Once successfully registered, the user can use a previously configured local authentication method, such as a screen-lock PIN code or a biometric mechanism to gain access.
— Engadget (@engadget) August 12, 2019
The WebAuthn API should eventually make online accounts more secure by confirming the identity of the user with fewest possible hurdles. Moreover, users who opt for this convenient and secure method will have to register their biometric credentials with a particular platform only once. Native apps and web applications would then simply accept the new login method.
Incidentally, Google has already begun rolling out the WebAuthn API based password-free authentication system for a few of its services. Users will have access to all their saved passwords through Passwords.Google.Com without having to enter their Google login details. Although this is the only working instance of the new password-free method, Google should extend the same to other services shortly. Simply put, soon Google Android smartphone users, who have saved their login credentials on the various Google platforms, will be able to log into them with their biometric or fingerprint only.
Will Google Or Other Services Receive Actual Fingerprints?
With the rising use of WebAuthn API and biometric authentication, users are rightly concerned if their biometrics would be accessed and stored online by other platforms. To address this very concern, Google has ensured that biometric authentication never leaves the smartphone on which they are used. In other words, neither Google nor other companies receive a copy of users’ fingerprints. Everything is executed locally and only a “proof” is sent out. “Only a cryptographic proof that you’ve correctly scanned it is sent to Google’s servers. This is a fundamental part of the FIDO2 design,” noted Google.
Making authentication even easier with FIDO2-based local user verification for Google Accounts | Google Online Security Blog https://t.co/k5Rqr786Y6
— matiere* (@matiere) August 13, 2019
Google Android smartphones running Android Nougat 7.0 and above should soon start offering users the ability to log on without using login credentials. Needless to add, users will be mandatorily required to log in to their personal Google Account on the device and to set up a screen-lock code. In other words, unsecured Android smartphones will not gain ability. Moreover, Google is restricting the ability to access web platforms with biometrics through its Chrome browser only. It is quite likely the search giant will soon include other apps.
WebAuthn API And FIDO2 Login To Become Standard Soon?
Google had long back introduced the two-factor authentication. The company continues to urge users to activate the feature to further boost security. There are several safeguards to detect regularly used devices and caution users through mail and SMS about access from unfamiliar devices. Although there are other login methods, the biometric authentication is by far the simplest, most commonly used, and the fastest. Hence its adoption too should be the quickest since most Android smartphone users already employ the same to gain access to their devices.
Interestingly, many laptops and other portable devices sport a fingerprint scanner. Hence the hardware requirement is already in place. With Google’s push, many other companies should quickly start adopting and accepting users’ fingerprint as login.