Aug 13, 2019 12:30:00

Android smartphone can log in to web service with fingerprint authentication

by

Gerd Altmann

Google announced that it would be possible to use biometric authentication such as fingerprint authentication instead of entering a password when using various services. At the time of article creation, it can be used only when accessing a specific Google service from the Pixel series Google smartphone, but biometric authentication can also be used on all devices with Android 7 or later installed within a few days It will be possible to login.

Google Online Security Blog: Making authentication even easier with FIDO2-based local user verification for Google Accounts
https://security.googleblog.com/2019/08/making-authentication-even-easier-with_12.html

Now you can use Android phones, rather than passwords, to log in to Google * | Ars Technica
https://arstechnica.com/information-technology/2019/08/google-lets-android-users-skip-the-password-when-logging-in/

The state of setting login by fingerprint authentication of smartphone is like this. First, go to Google's password manager , display the password stored in your Google account, and select the one you want to set up for login with fingerprint authentication.

“To access your account, unlock the screen and verify your identity” is displayed. Tap “Continue”.

A screen prompting for fingerprint authentication pops up, so if you cancel authentication with the fingerprint sensor of your smartphone ...

Authentication is complete. You can now log in with fingerprint authentication.

According to Google, this is the first time that biometrics can be used on the web instead of native apps . This function is realized by WebAuthn technology standardized by the authentication standard FIDO2 .

In March 2019, the World Wide Web Consortium (W3C), a standardization body for technologies used on the web, adopted WebAuthn as the web standard login method, and many browsers and web services do not use passwords. Was expected to migrate to.

The details of WebAuthn can be understood by reading the following article.

Password-free login method `` WebAuthn '' becomes a web standard-gigazine

Google linked the password stored in the Google account with this WebAuthn technology and the authentication function of the terminal, and realized login to the site by fingerprint. WebAuthn supports authentication methods other than fingerprint authentication, so you can use face authentication, PIN (PIN code), pattern lock, etc. as well.

Since the FIDO2 standard is also an authentication method adopted by native apps , credential information is also shared, and users who have registered their fingerprints on their smartphones can use fingerprint authentication on both the app and the web without having to re-register It is possible. Also, since only the information that “successful fingerprint authentication was successful” is sent to the website or Google server, there is no worry that the fingerprint information will be stolen by a third party.

On the other hand, Ars Technica , a technical news media, points out that this new function is “convenience as a security enemy”. That's because logging in to a website in the same way as unlocking a smartphone means that if a smartphone is lost or stolen, not only the smartphone but also the website account is compromised. Because.

Nonetheless, Ars Technica security officer Dan Goodin said, “This new authentication method follows a long-standing effort to make passwords unnecessary,” and the Internet will evolve into a more secure one. He talked about his expectations for this.