Google has announced that users can verify their identity by using their fingerprint or screen lock instead of a password when visiting certain Google services, starting with Pixel devices and coming to all Android 7+ devices in the next few days.
Google says that years of collaboration between itself and many other organizations in the FIDO Alliance and the W3C have led to the development of the FIDO2 standards, W3C WebAuthn and FIDO CTAP that allow fingerprint verification.
The key game-changer in how these new technologies can help users is that unlike the native fingerprint APIs on Android, FIDO2 biometric capabilities are available on the Web which means that the same credentials be used by both native apps and web services. The result is that users only need to register their fingerprint with a service once and the fingerprint will then work for both the native application and the web service.
Fingerprint Not Sent To Google’s Servers
Google is keen to point out that the FIDO2 design is extra-secure because it means that a user’s fingerprint is never sent to Google’s servers but is securely stored on the user’s device. Only a cryptographic proof that a user’s finger was scanned is actually sent to Google’s servers.
Try It Out
In order to try the new fingerprint system out, you will need a phone that’s running Android 7.0 (Nougat) or later, make sure that your personal Google Account is added to your Android device, and make sure that a valid screen lock is set up on your Android device.
Next, open the Chrome app on your Android device, go to https://passwords.google.com, choose a site to view or manage a saved password, and follow the instructions to confirm that it’s you trying signing in.
Google has provided more detailed instructions here: https://support.google.com/accounts/answer/9395014?p=screenlock-verif-blog&visit_id=637012128270413921-962899874&rd=1
Google says that this is just the start of the embracing of the FIDO2 standard and that more places will soon be able to accept local alternatives to passwords as an authentication mechanism for Google and Google Cloud services.
What Does This Mean For Your Business?
Not having to use a password but to be able to rely upon fingerprint (biometric) verification (or screen lock) instead should mean greater convenience and security for users of Google’s services, and should also reduce the risk to Google of having to face the results of breaches.
The development and wider use of the FIDO2 standard is, therefore, good news for businesses and consumers alike, particularly considering that Google (at 8% share) is one of the top 10 vendors that account for 70% of the world’s cloud infrastructure services market.
Back in May, Microsoft’s Corporate Vice President and Chief Information Officer Bret Arsenault signalled (in a CBNC interview) that Microsoft was looking also to move away from passwords on their own as a means of authentication towards (biometrics) and a “passwordless future”. For example, 90% of Microsoft’s 135,000 workforce can now log into the company’s corporate network without using passwords but instead using biometric technology such as facial recognition and fingerprint scanning via apps such as ‘Windows Hello’ and the ‘Authenticator’ app.