I've quoted biometrics as a key factor in the decision to move away from Windows 10 Mobile to Android (or perhaps iOS). We live in a world where so much needs to be signed in, secret, and private, that managing and typing in passwords and two factor codes is a major, major hassle, and re-using passwords and accounts is oh-so-tempting. Using fingerprints, iris recognition, or face scanning, mean that applications and - now - web sites can know who we are. Today sees the start of a rollout of fingerprint scanner integration into Google Play Services and then access into compatible web sites.

So yes, this applies to Android, and we can again only wonder how far biometric support could have come for Windows 10 Mobile if Microsoft had used it rather than betting the farm on (the Lumia's) iris recognition, a fiddly system that no one liked and few used. Oh well.

From Google's blog:

Passwords, combined with Google's automated protections, help secure billions of users around the world. But, new security technologies are surpassing passwords in terms of both strength and convenience. With this in mind, we are happy to announce that you can verify your identity by using your fingerprint or screen lock instead of a password when visiting certain Google services. The feature is available today on Pixel devices and coming to all Android 7+ devices over the next few days.

These enhancements are built using the FIDO2 standards, W3C WebAuthn and FIDO CTAP, and are designed to provide simpler and more secure authentication experiences. They are a result of years of collaboration between Google and many other organizations in the FIDO Alliance and the W3C.

An important benefit of using FIDO2 versus interacting with the native fingerprint APIs on Android is that these biometric capabilities are now, for the first time, available on the web, allowing the same credentials be used by both native apps and web services. This means that a user only has to register their fingerprint with a service once and then the fingerprint will work for both the native application and the web service.

Note that your fingerprint is never sent to Google’s servers - it is securely stored on your device, and only a cryptographic proof that you’ve correctly scanned it is sent to Google’s servers. This is a fundamental part of the FIDO2 design.

Here is how it works: Google is using the FIDO2 capability on Android to register a platform-bound FIDO credential. We remember the credential for that specific Android device. Now, when the user visits a compatible service, such as passwords.google.com, we issue a WebAuthn “Get” call, passing in the credentialId that we got when creating the credential. The result is a valid FIDO2 signature.

Good stuff, even if it will take a while for more web sites to get onboard with the FIDO API. Anyone know of a few good examples?

Passwords.google.com is a good place to start and demonstrates the fingerprint access in action:

Verifying web access to a site using my fingerprint; (right) passwords.google.com reveals all sorts of interesting things, showing just how many passwords Chrome/Google is saving for you (hint: have a prune), here's a login for AAWP, which doesn't use logins! (It's actually for our back end CMS)

It's clear that a lot of the good work on mobile security is now being done by Google, though the new partnerships of Microsoft with Samsung do mean a Samsung Android-powered flagship is still my recommended route for anyone thinking of finally leaving Windows 10 Mobile for better supported pastures. Yes, many services and sites still work with Windows on phones, but many of them are a pain to get logged in with. Today's Google news means that our online lives may just get a little easier.