Mishaal Rahman / Android Authoritative
tl; dr
- Google Chrome on Android will allow you to require biometric verification before auto-filling your password, and add a much-needed layer of security.
- This feature closes the vulnerability because it is currently only available to applications, not browsers, so the biometric protection of existing Autofills only applies.
- A newly discovered setting explicitly states that this protection is about to “reach Chrome”, ultimately preventing passwords from being automatically filled without user verification.
It is a pain to enter your password manually, which is why many people use the autofill service bundled with a password manager to save time. For better security, you should require biometric verification before automatically filling your password. This prevents thieves who steal your phone from logging in an account that has not been logged in yet. Unfortunately, Google Chrome on Android currently does not require any authenticated Android Autofills password, but that will change soon.
If you use Google Password Manager, you may have noticed “Use biometrics to authenticate before filling in your password” option Settings > Google > Use Google > preferences autofill. As the name implies, this setting prevents Google Password Manager from automatically filling in passwords until you verify your identity with your face or fingerprint. Unfortunately, even if Chrome uses the same Autofill Service, this protection only works for applications and does not work in web browsers like Google Chrome.
Mishaal Rahman / Android Authoritative
Fortunately, Google finally resolved this long-term surveillance. Telegram user Micha told us that the option to “authenticate with biometrics before filling your password” has disappeared from its autofill through Google preferences. Instead, they now see a new one.”Verify that you want to auto-fill your passwordThe option is at the bottom of the main settings page of Google Password Manager. Although the toggle has been repositioned and renamed, it provides the same protection. However, its new description contains a promising detail:
“For added protection, always use fingerprint, face or other screen locks when logging in with Autofill (Chrome is coming soon)”
My colleague Hadlee Simons also has this new switch, so he shared the following screenshot with me:
Hadlee Simons / Android Authoritative
This description confirms that Chrome will soon require your fingerprint, face, or screen lock to automatically fill your password. While it's unclear whether that single setting works for Chrome or whether the browser will get its own switch, this is a much-needed security improvement.
Back in October, we reported that Google Chrome will prevent passwords from being automatically filled if your phone is stolen. The protection is based on Android's identity checking feature, which forces biometric verification when your phone is in an untrusted location. Although Google hasn't integrated identity checking into Chrome yet, the new switch we found seems to enable wider protection regardless of your phone's location.
Thank you for being a part of our community. Please read our comment policy before posting.