Passwords? Where we’re going, we don’t need passwords
PASSWORDS? THEY’RE soooooo 1990s dude.
Most of the big tech firms have been working for years to consign passwords to history, but few have been so proactive as Google.
Just two weeks after the global launch of its Titan FIDO security key, Google has announced that it will be offering users of its Chrome Password Manager to authenticate their desktop logins using their Android phone.
Some Android phones have been able to double up as a FIDO key for some time, but now you’ll be able to link your phone to Password Manager, and respond to a pop-up on the device to authenticate with an unlock pattern or biometric (probably your fingerprint).
Google claims this is the first time that a product secured with FIDO2 has been made available to web users, offering a “register once, use many” biometric service, combining security standards with the Android fingerprint API.
The new feature which is available on Pixels, but will soon be rolled out to everything running Android 7.0 Nougat and upwards, using a combination of FIDO2, W3C WebAuthn and FIDO CTAP to do its magic. Explains Google, the features are “designed to provide simpler and more secure authentication experiences. They are a result of years of collaboration between Google and many other organizations in the FIDO Alliance and the W3C.”
It’s also worth remembering that the whole point of FIDO is that your biometric data is never sent to Google (or anywhere else) – all that is exchanged is a token confirming that your device has recognised the fingerprint offline.
Google is keen to big up that this is just the beginning: “This new capability marks another step on our journey to making authentication safer and easier for everyone to use. As we continue to embrace the FIDO2 standard, you will start seeing more places where local alternatives to passwords are accepted as an authentication mechanism for Google and Google Cloud services.”
If you want to have a go, and have a Pixel handset (assuming you’re reading this on the day we publish it, otherwise any Android 7.0+ phone will do) then go to passwords.google.com on your desktop web browser and follow the instructions. μ