Google is testing a feature to make Android’s built-in password manager more secure, according to online detectives who have selected their software. The update, still under development, refers to the autocomplete function of the mobile operating system.
In the past, entering passwords on websites and applications on your mobile phone was a big problem due to the way mobile operating systems blocked applications. In the old days, using a password manager like 1Password or Dashlane on an Android device was difficult, because there was no built-in support to connect them to other applications and websites so they could automatically complete their credentials for you.
Instead, they would use the accessibility settings of Android as a bridge for other applications, but it didn’t work perfectly and, to begin with, you had to configure it manually. The alternative was even worse: open the password manager, search for the password and then copy and paste it into the application or site you were accessing.
The answer came in the form of autocomplete, which allows the mobile operating system to complete the password of a trusted list. Google introduced this feature on Android 8 (with the code name of Oreo) in August 2017. You can use it to take autocomplete entries from third-party password managers, or if you want to keep everything in your Google account, you can use autocomplete with Google’s own password management service.
The problem with the autocomplete feature when using Google password manager is that it does not request any additional authorization. Touch the part of the form to complete your own credentials, and collect the Google password manager data and paste it without verifying who you are. That means that if someone else takes your phone while you are distracted, they could log in like you.
According to an XDA Developers report, Google is testing a solution for that problem. Apparently, the company is looking to introduce biometric authentication for automatic filling, which means that people will have to prove their identity before automatically filling in Google’s password manager credentials.
XDA analyzed an upcoming APK (an Android package file) that covers the autocomplete service, and found it using the BiometricPrompt application programming interface (API). BiometricPrompt allows applications to authenticate users through a fingerprint, an iris scanner or facial recognition, depending on what the phone supports.
XDA tested the functionality by having the operating system authenticate its editor in chief using facial recognition before logging into the Reddit Android application. He also noticed a “Use biometrics” option within the AutoComplete Security settings screen that allowed a user to activate it to complete credentials and payment information.
Third-party password managers already call biometric authentication of the phone before they complete something for you. Many of these, such as 1Password, handle both your passwords and your credit card details.
This is an undocumented feature and not yet implemented in an APK that XDA developers did reverse engineering, so it is not clear when, or even if, Google will activate this biometric feature for autocompletion, although it seems obvious. Meanwhile, you can use another password manager to get the functionality. By the time Google updates, you may not feel like coming back.