Google Chrome is finally adding biometric security for auto-filled passwords on Android

19 Sep 2024, 21:56 by Chandraveer Mathur · Android Police

Key Takeaways

Chrome is working to enhance security with biometric authentication for password autofill.
Chrome currently overrides system-level settings to prioritize biometric ID verification.
New Chrome flag in Canary ensures biometric ID is needed before password fill-ins.

Google Chrome is one of the world's most preferred browser, and that's saying a lot given there are other Chromium-based options out there. A part of the popularity comes down to the sheer convenience the browser brings with features like the integrated password manager, effortless history sync, and a ton of extensions. Google also keeps Chrome close to the bleeding edge of security tech with support for passkey authentication already available widely. Now, biometric authentication for password autofill is getting even better.

What is a passkey, and how is it different from a password?

Passkeys and their speedy encryption are already starting to replace passwords: Here are the big differences

Chrome uses Google Password Manager (GPM) to store credentials and autofill them when you're signing in to your account. Usually, you'll see GPM seek biometric authentication before supplying these credentials to third-party apps if you've switched on the corresponding settings on your device under Settings → Passwords, passkeys & autofill → Google → Preferences. However, Chrome tends to override this setting, perhaps leveraging its tight integration into the Google ecosystem.

Google just posted a few changes that simplify passkey creation in GPM from devices other than your primary Android phone, including through Chrome. Separately, Chrome feature researcher @Leopeva64 on X (formerly Twitter) found evidence suggesting Google could also get the browser to authenticate sign-ins like every other app, with biometrics.

A new flag paves the way for change

We usually see new Chrome features in the Canary version, and the Android app now features a flag that makes biometric ID verification mandatory before filling in passwords. Interestingly, a descriptor for the flag suggests the fingerprint prompts should only pop up when the "phone is in a non-trusted location." That doesn't help much but we suspect it will further guard your credentials in public places, like when you're connected to guest Wi-Fi networks.

chrome://flags/#biometric-auth-identity-check

Leopeva64 notes the flag was available on chrome a few years ago but was mysteriously removed even though rival browsers handle autofill requests properly without bypassing system level settings to seek biometrics first. Hopefully, the changes are merged with the stable version with an upcoming update.