Google Moves Beyond The Password With Biometrics

password sticky note on keyboard

Step by step on the journey to getting rid of the password — and with Google, now a leap?

Amid a series of announcements, marquee names in tech — Google and Microsoft — have fired shots across the bow of static security efforts that involve your mother’s maiden name or where you went to elementary school.

Google announced via blog post earlier this week that users wielding Pixel phones will be able to log into some of the search giant’s services through the Chrome browser with biometrics, such as fingerprints.

“This new capability marks another step on our journey to making authentication safer and easier for everyone to use,” Google said in the post.

The biometric option leverages the standard known as FIDO 2.0 (or FIDO2), which helps companies bypass passwords for authentication that involves fingerprints or facial recognition.

As noted in this space, in terms of mechanics, the technology makes use of key encryption, which in turn involves the use of two keys: one private and one public. Users can send a message to someone using their public key, and when they receive the message they use their private key to decrypt it.

The Google announcement comes weeks after Microsoft said in May that Windows Hello, the password-free biometric authentication system, has been FIDO2 certified. And it comes after the April news that any phone running Android 7+ can function as a FIDO2 security key (with a global launch earlier this summer). Android was Fido2 certified in February.

This time around, users verify themselves across Pixel offerings through the screen unlock functions.

Google has said that this is the first time that offerings secured with FIDO2 are being made available to web users, though the activity, as  reported, is thus far confined to “step up” authentication activities and not initial logins.

In an interview with PYMNTS, Andrew Shikiar, executive director and CMO of the FIDO Alliance, said the Google move opens up the dialogue a bit on ditching passwords.

“This is the second wave of FIDO adoption,” he told PYMNTS, with a nod to the fact that FIDO has been on market for a while. The first FIDO authentication deployment took place in 2014 when PayPal and Samsung enabled consumer authentication via fingerprints on the Samsung Galaxy S5.

But as he put it, the Google and Microsoft news over the past few months show what he termed the “platformized implementation” of FIDO at scale (and Android and Windows are certainly at scale) in ways that have FIDO2 at the core of their security and user authentication.

“The paradigm is really important,” he told PYMNTS. “The idea that you can use your fingerprint to log in to native applications and web services the same way that you unlock your phone is really critical.” The ease of the user experience also will spur increased adoption.

He told PYMNTS it is “critical” to understand that while there may be concerns among the public about biometrics, and about data housed in the cloud, the FIDO-certified approach that is being embraced by Google, Microsoft and others among the 250 member FIDO Alliance roster means all biometric data is kept ON device. Google, for example, never sees the fingerprints, and the data are never stored in a centralized location.

He said too, that the over the longer term consumers will become more focused on authentication, and privacy will become a distinguishing factor.

“It’s a journey,” he said, of the evolution beyond the password, “and little by little we are moving in that direction.”