Google is testing out a feature to make Android’s built-in password manager safer, according to online sleuths who have picked apart its software. The update, still in development, concerns the mobile operating system’s autofill feature.
In the past, entering passwords into websites and apps on your mobile phone was a huge pain because of the way mobile operating systems locked down applications. In the bad old days, using a password manager like 1Password or Dashlane on an Android device was difficult, because there was no built-in support that connected them to other apps and websites so that they could automatically fill in your credentials for you.
Instead, they’d use Android’s accessibility setting as a bridge to other apps, but it didn’t work perfectly and you had to configure it manually to begin with. The alternative was even worse – opening the password manager, looking up the password, and then copying and pasting it into the app or site you were accessing.
The answer came in the form of autofill, which lets the mobile OS fill in the password for you from a trusted list. Google introduced this feature in Android 8, (code-named Oreo), in August 2017. You could use it to take autofill input from third-party password managers, or if you wanted to keep everything in your Google account, you could use autofill with Google’s own password management service.
The problem with autofill when using Google’s own password manager was that it doesn’t ask for any extra authorisation. You tap the part of the form to fill out your own credentials, and it collects the data from Google’s password manager and pastes it in without checking who you are. That means if someone else grabs your phone while you’re distracted, they could potentially log in as you.
According to a report from XDA Developers, Google is testing a fix for that problem. The company is apparently looking at introducing biometric authentication for autofill, meaning that people will have to prove their identity before autofilling credentials from Google’s password manager.
XDA analysed a forthcoming APK (an Android Package file) covering the autofill service, and found it using the BiometricPrompt application programming interface (API). BiometricPrompt lets applications authenticate users via a fingerprint, iris scanner, or face recognition, depending on what the phone supports.
XDA tested the functionality by getting the OS to authenticate its editor in chief using face recognition before logging him into Reddit’s Android app. It also noticed a ‘Use Biometrics’ option within the Autofill Security settings screen that allowed a user to turn it on for filling out credentials and payments information.
Third-party password managers already call the phone’s biometric authentication before they’ll fill anything out for you. Many of these, like 1Password, handle both your passwords and credit card details.
This is an undocumented and not-yet implemented feature in an APK that XDA Developers reverse engineered, so it isn’t clear when – or even if – Google will switch on this biometric feature for autofill, although it seems like a no-brainer. In the meantime, you can use another password manager to get the functionality. By the time Google catches up, you may not feel like going back.
Naked Security
Google tests biometric authentication for Android autofill
Google is testing out a feature to make Android's built-in password manager safer.
Spryte
And just who/what will store these ‘biometrics’?
The phone or tablet, or the goog? (Or some third party?)
None of which are satisfactory to me.
Eddie
How i understand it all biometric information is store on the device only and not stored or synced with any servers or anything.
What would you prefer to have instead?
Dave
I’ll bite…
“The alternative was even worse – opening the password manager, looking up the password, and then copying and pasting it into the app or site you were accessing.” <- worse why? Inconvenience or security?
FWIW, I use keepass one my desktop and Keepass2Android on my phone, with the file syncing via my Nextcloud; and I use the 'copy to clipboard' method in both. Is this less secure that autofill? I thought autofill had it's own issues (hidden fields extracting more data than you thought). If I'm being less secure than I could be, I'd like to know, and why, and how to fix it :)