Google on Wednesday officially rolled out support for passwords, the next-generation authentication standard, to both Android and Chrome.
“Passwords are a significantly more secure alternative to passwords and other fraudulent authentication factors,” the tech giant said. “They can’t be reused, don’t leak in server breaches, and protect users from phishing attacks.”
The feature was first announced in May 2022 as part of a broader effort to support a popular passwordless login standard.
The password, founded by the FIDO Alliance and also supported by Apple and Microsoft, aims to replace standard passwords with unique digital keys stored locally on the device.
Finally, key generation requires confirmation from the end user of the account that will be used to log in to the online service, then using their biometrics or device passcode.
Logging into a website on a mobile device is also a simple two-step process, which involves choosing an account and presenting their fingerprint, face, or screen lock when prompted.
The underlying principle that powers passwords is a mechanism called public key cryptography, where the “secret” private key is stored on the user’s device while the public key is stored by the service. online.
Thus, during login, a password-enabled platform uses the public key to verify the signature from the private key to confirm the authenticity of the user.
The password private key generated for each user account for an online service is also encrypted when stored on the user’s device using a hardware-protected encryption key.
The most compelling advantage to passwords is that they are also browser and operating system independent, meaning Android users can sign in to a password-enabled website using Safari on iOS or macOS, or the Chrome browser on Android. Windows.
Google also notes that generated passwords are securely stored and synced to the cloud via Password Manager to prevent locking, plus developers can integrate password support on their website using the WebAuthn API.
“When a password is backed up, its private key is uploaded only in encrypted form using an encryption key that is only accessible on your device,” said Google software engineer Arnar Birgisson. users themselves”.
“This protects the password against Google itself or, for example, a malicious attacker inside Google. Without access to the private key, that attacker cannot use the password to log into the account. your respective online account.”
The internet giant added that it aims to release APIs for native Android apps by 2022, providing users with a standard way to choose passwords or saved passwords.
