Google starts fingerprint authentication with web service for Android users
Android users will have the option to log in to a number of Google services via the mobile Chrome browser using the fingerprint scanner instead of a password. Google bases the functionality on the FIDO2 standards WebAuthn and ctap.
For now, fingerprint authentication is only possible at passwords.google.com, a password manager from Google, but the company plans to expand the functionality to more services over time. According to Google, Pixel phone owners will be able to access this new functionality starting Monday, and it will also be available for all devices running Android 7 or higher in the next few days. By the way, users must first have a valid screen lock set up on their device. After this screen lock has been used to access the Google account, you will be prompted to verify the identity through the fingerprint.
The reason that only devices with Android 7.0 or higher are suitable is because only those devices are certified for FIDO2. The option to login without a password is built on the FIDO2 standards WebAuthn and ctap. WebAuthn is a standard of W3C and is intended to replace traditional passwords and make it possible to log in to the browser with a fingerprint or an external device, among other things. FIDO2 from the FIDO Alliance and the W3C is an open authentication standard, building on U2F and UAF. The goal is to make the authentication process easier. Google says it has worked with the FIDO Alliance and the W3C for years to come up with the functionality now available.
An important advantage of FIDO2 over using the native fingerprint APIs on Android is that these biometric authentication methods are now available on the web for the first time, according to Google. This means that users can gradually use the same login methods in apps and the web services. They then only have to register their fingerprint with a service once, and it is then used in both the app and the web implementation of a service. Incidentally, the fingerprint is not stored on Google servers; it stays on the device. According to Google, only a ‘cryptographic proof’ is sent that the user has correctly scanned his fingerprint scanner.