Chrome is boosting the security of its autofill using biometric authentication such as fingerprint scanning for payments and a touch-to-fill feature for passwords.
Last week, Google announced an update to its Chrome browser, which will allow users to fill in passwords and credit card details in a way that is “more convenient and secure”.
Google Chrome will now include the optional feature of biometric authentication, for example with the user’s fingerprint, to autofill credit card details without having to ask for a three-digit CVC each time.
Chrome uses the W3C standard WebAuthn to secure this biometric information, which never leaves the user’s device. While the feature is already available on Windows and Mac, the company plans to roll out the feature to Android users in the coming weeks.
The browser has also introduced a ‘touch-to-fill’ password feature to help users manage login details. When users visit a site that requires a password, they will be given a dialog box that will let them choose from a list of their saved account details for that website and sign in without clicking on individual fields.
Google said this feature is coming to Chrome on Android in the coming weeks but is only the start. “We’ll continue to focus on creating intuitive features that keep you safe while you sign in and pay on the web,” it said.
Can you use biometrics for passwords?
While this latest update focuses on using biometrics for payments, Google has also looked at using biometrics for password details. Last year, Google rolled out a new feature that would allow users to sign into some of its services on Chrome on Android using just a fingerprint, while earlier this year it was reported that Google was testing biometric autofill for both payments and passwords.
Infosec expert Brian Honan of BH Consulting said that, while he couldn’t delve into the technical side of Chrome’s latest update, adding biometrics does “raise the bar” when it comes to protecting information.
“We’ve been relying on passwords for people to protect systems and their data, but passwords by themselves can often be insecure,” he told Siliconrepublic.com. “The advice we give people around passwords is very counterintuitive as well.”
When users look for password advice, they will generally be told to pick one that’s at least eight characters long and includes uppercase and lowercase letters, as well as symbols and numbers. Guessable words should be avoided, but it should still be something a user can remember. Add to that the fact that every password you use should be different and it’s no surprise that users may be looking for autofill or biometric options on their browser.
Honan said using a dedicated password manager can alleviate the problem. “Some of the common advice is don’t write your passwords down. I would actually say that’s bad advice. Do write your passwords down, but keep where you write those passwords down very secure. Ideally, that secure place is a password manager.”
He added that the addition of biometrics may solve some of the challenges in that it is using something that is unique to users and difficult to hack, while maximising ease of usability.
So, what could the future of security hold?
With the convenience of biometrics, users might be ready to shed their password worries altogether. But while biometric information may add an additional level of security, and arguably one that is more difficult to penetrate than passwords, Honan warned that there are limitations.
“The key thing to remember is your biometric can only be used on a device that you have,” he said. “But if you’ve got other devices, you’re still going to need to rely on passwords.”
Honan added that, even with the added security that biometrics bring, users still need to keep their device secure and ensure the systems and software are updated. “Bugs can be discovered and will be discovered in many of these systems and will be exploited by criminals,” he said.
“It shouldn’t be a ‘fix it and forget’ situation. We need to create good security habits that complement each other and not just rely on one thing to protect us.”
He also noted that when it comes to highly sensitive information, it’s important to use multi-factor authentication and have more than one method of logging in so that you have alternative ways of accessing your information.
While Chrome’s latest update may boost the security of its autofill features for payments and passwords, it’s important that users don’t take it as a licence to ditch the basics of security and good password hygiene.
However, Honan added that security and password methods need to be addressed by the industry as a whole. “The introduction of [biometrics] is a good first step and hopefully we’ll see huge developments by all the players in the industry to make our systems much more secure and easier for people to use.”