Google testing biometric support for Autofill service

Google is toying with adding biometric support to its Autofill service on Android devices, deployed by users to automatically populate online forms and apps with personal and sensitive information.

Android code that hasn’t yet been enabled suggests Google’s built-in service could, in a future update, introduce an additional security layer involving fingerprint scanning or facial recognition, according to XDA Developers.

The additional step would be handled through the ‘BiometricPromptAPI’, and would aim to resolve a security concern that has riddled Google’s auto-fill feature for years.

Autofill allows Android users to automatically populate forms and apps with information like passwords, addresses and credit card details, that's synced with their Google account.

With Google’s Android 8 Oreo operating system, the inclusion of an Autofill API opened up support to third-party password managers like LastPass and Dashlane.

Using the equivalent of Autofill with these apps, however, generally requires users to pass an additional layer of security, like a quick fingerprint scan, to verify their identity.

RELATED RESOURCE

Strengthen your defences against cybercrime

Cyber resilience planning for email

FREE DOWNLOAD

Unlike these third-party apps, however, Google’s own feature has never demanded any additional form of authentication.

Attackers, therefore, could in theory gain access to a wealth of sensitive information - including financial data - by just bypassing the passcodes users set that allows access into their devices.

According to an APK teardown, biometric support options would be enabled within the Autofill settings portion of the Android settings menu, under ‘autofill security’.

Users could then separately toggle biometric support on or off for payment information and credentials like usernames and passwords.

Biometric security is increasingly being seen as a reliable and secure alternative to traditional passwords and passcodes. The use of password managers, too, is often recommended by security experts as a means of improving cyber hygiene.

Microsoft, for instance, is a company that’s been highly vocal about the need to shift away from conventional passwords and for users to instead embrace biometrics as an alternative. Its chief information security officer Bret Arsenault has in the past called for online passwords to be eliminated entirely.

Embracing biometric support completely, however, presents its own security challenges, as the Biostar 2 data breach showed, with the nature of the biometric data taken for more permanent than usernames and passwords, which are stolen in most other breaches.

Keumars Afifi-Sabet
Contributor

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.