Here’s a good reason to update to your latest version of Google Play Services: Android devices running version 7.0 and later can now log you into apps and websites without requiring you to type in a password. Using FIDO2, an open standard developed by the FIDO Alliance, the update instead uses your fingerprint or PIN to log you into various services.
While complex passwords can be a secure method to keep your account safe, they are often long, hard to remember, and should be updated periodically (unless you use a password manager.) Two-factor authentication is helpful too, but can be annoying and difficult to access if you’re traveling internationally. With this update and certification, Google and the FIDO Alliance is hoping to move users toward even more secure methods like biometric data, which are difficult to steal and replicate. The standard also stipulates that your data is authenticated locally, so no private information is being transferred to the apps and services you’re logging into.
“The important, often overlooked, part of this technology is actually not allow users to use biometrics to sign in, but rather moving authentication from a ‘shared secret’ model – in which both you and the service you’re interacting with needs to know some ‘secret’ like your password – to an ‘asymmetric’ model where you only need to prove that you know a secret, but the remote service doesn’t actually get to know the secret itself,” says Christiaan Brand, an identity and security product manager at Google. “This is better in many ways, as a breach of your data on the server side doesn’t actually reveal anything that can compromise the keys you use to access the service.”
For devices without a fingerprint sensor, Android will allow you to use other methods, like a PIN or swipe pattern that you use to unlock your phone, to authenticate.
Some Android users may have already seen this live in action: most banking apps, for example, allow you to log in via fingerprint than typing in your password. This authentication standard is also supported through many web browsers, including Chrome, Edge, and Firefox. However, just because the support is there, that doesn’t necessarily mean you can use this method to log into all apps right away. App developers still have to adopt FIDO’s API in order to support the feature.