#privacy: Google replaces passwords for Android users

Google announced this week that it will start replacing passwords to provide a simple authentication experience. 

In a blog post, Dongjing He, a software engineer, and Christiaan Band, product manager explained that new security technologies are “surpassing” passwords, in regards to strength and convenience. 

With that in mind, Google has announced that users of Pixel devices and Android 7+ devices, will be able to verify their identity by using their fingerprint or screen lock instead of using a password. 

The new functionality is built using FIDO2, a password free login technology. One of the benefits of utilising FIDO2, is that biometric capabilities are now available on the web which allows the same credentials to be used by “both native apps and web services”. Therefore a user only has to register their fingerprint with a service once, and it will then work for both the web service and native application. 

“Google is using the FIDO2 capability on Android to register a platform-bound FIDO credential. We remember the credential for that specific Android device. Now, when the user visits a compatible service, such as passwords.google.com, we issue a WebAuthn “Get” call, passing in the credentialId that we got when creating the credential. The result is a valid FIDO2 signature.”

It is noted that a users fingerprint is securely stored on their device and never sent to Google’s servers. A user can protect their accounts with two-step verification with Titan Security Keys and/or an Android phone’s built-in security key. 

To use the new technology, the device must be running Android 7 (Nougat) or later, as well has have a personal Google account added to the device. Additionally, the Android device must have a valid screen lock set up. 

This announcement, marks a new step into the journey of authentication.

“As we continue to embrace the FIDO2 standard, you will start seeing more places where local alternatives to passwords are accepted as an authentication mechanism for Google and Google Cloud services.”


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/