Google is expanding Android to include its password check function. This makes the mobile operating system the latest company to offer users an easy way to verify that the passwords they are using have been compromised.
Password verification checks the credentials entered into apps against a list of billions of credentials that have been compromised in the myriad website violations over the past few years. In the event of a match, users will receive a notification and a prompt that will direct them to the Google Password Manager page, where the security of any stored credentials can be verified.
Warnings look like this:
Google introduced Password Checkup in early 2019 in the form of a Chrome extension. In October of this year, the function made its way into the Google Password Manager, a dashboard that examines web passwords stored in Chrome that are synchronized via a Google account. Two months later, the company added it to Chrome.
Google's Password Manager allows users to visit websites with incorrect passwords directly by clicking the "Change Password" button that appears next to any compromised or weak password. The password manager can be accessed from any browser. However, it only works if users sync credentials with their Google account password rather than an optional standalone password.
The new password verification was available starting Tuesday for users of Android 9 and above for users who auto-populate with Android. This feature automatically adds passwords, addresses, payment details and other information that is commonly entered in web and app forms.
The Android AutoFill framework uses advanced encryption to ensure that passwords and other information are only available to authorized users. Google will only have access to user credentials if users 1) have already saved a credential in their Google account and 2) have been offered by the Android operating system to save a new credential and saved it in their account.
When a user interacts with a password, either by filling it out on a form or by saving it for the first time, Google uses the same encryption that runs the privacy check in Chrome to verify that the credentials are part of a list of known compromised passwords . The web application interface only sends passwords that have been cryptographically hashed using the Argon2 function to create a search key that is encrypted using Elliptic Curve cryptography.
In a post posted on Tuesday, Google said the implementation will ensure that:
- Only an encrypted hash of the credential leaves the device (the first two bytes of the hash are sent in clear text to partition the database).
- The server returns a list of encrypted hashes of known credentials that have the same prefix
- The actual determination of whether the Proof of Entitlement has been breached is local to the user's device
- The server (Google) does not have access to the unencrypted hash of the user password, and the client (user) does not have access to the list of unencrypted hashes of potentially breached credentials
Google wrote more about how the implementation works here.
On most Android devices, autofill can be enabled by:
- Open settings
- Tap System> Languages & input> Advanced
- Tap Autofill Service
- Tap Google to make sure the setting is turned on
Regardless, on Tuesday, Google reminded users of two more security features added to Android autofill last September. The first is a password generator that automatically selects a secure and unique password and stores it in users' Google accounts. The generator can be accessed by long-pressing the password field and selecting Autofill from the pop-up menu.
Users can also configure Android autofill to require biometric authentication before adding credentials or billing information to an app or web field. The biometric authentication can be activated in the AutoFill with the Google settings.