Google Autofill tests biometric authentication for passwords and payments
With Android 8.0 Oreo, Google finally added highly requested Autofill API, allowing third-party password managers to easily and securely fill in passwords and payment info in apps without relying on the old accessibility workaround. In case you would rather not use the third-party solution to store your credentials, Google also has its own autofill service which is available on any device running Android 8.0 and later with Google Play Services installed.
You can access it by going to Settings > System > Languages & input > Autofill service. It syncs with your Google account and lets you add Personal Information, Addresses, Payment Methods, and Passwords that can be automatically filled in on third-party apps or in Google Chrome.
Just like with LastPass, Dashlane, or other autofill services, with Google Autofill, you’ll see a floating autofill box above any supported input fields. Tapping the box will fill in your data. Currently, there’s no user authentication involved when inputting this data and this, in turn, could allow an attacker to log into your apps and access your sensitive data if they manage to break into your device. For reference, most third-party password managers offer biometric authentication as an additional security layer when auto-filling apps and websites.
Google is aware of this security concern and is currently testing the ability to lock auto-fills behind biometric authentication. This process will be handled by BiometricPrompt API, meaning that you’ll be able to use your fingerprint, iris scanner, or face unlock hardware to authenticate autofill requests.
Our Editor-in-chief, Mishaal Rahman, was able to test this functionality on his Pixel 4 and have the Face Unlock authenticate the autofill in the official Reddit app. The screenshots of the authentication window couldn’t be captured as the Autofill Framework doesn’t allow taking screenshots. However, you can see the new security option within the Google Autofill settings in the screenshot below. Tapping on the option gives you toggles for turning on biometric authentication for payment info and login credentials.
The feature is still under testing and we don’t know when Google plans to release it to the users at large. It may be added in a future update of Google Play Services or it could even be rolled out as a server-side switch — we don’t know for sure yet. We’ll be sure, however, to let you know if we hear anything from Google or find any evidence of a wider rollout.
Thanks to PNF Software for providing us a license to use JEB Decompiler, a professional-grade reverse engineering tool for Android applications.