Key Takeaways
- Chrome is working to improve security by using biometric authentication for password autofill.
- Chrome now overrides system-level settings to prioritize biometric ID verification.
- A new Chrome flag in Canary ensures that your biometric ID is required before you enter your password.
Google Chrome is one of the most popular browsers in the world, and this is significant considering there are other Chromium-based options out there. Part of the reason for its popularity is the convenience of the browser, with features like an integrated password manager, easy history syncing, and plenty of extensions. Google has also kept Chrome closer to the cutting edge of security technology by making support for passkey authentication already widely available. Now, biometric authentication for password autofill is getting even better.
Chrome uses Google Password Manager (GPM) to store your credentials and autofill them when you log into your accounts. Typically, if you have the corresponding setting on your device turned on, GPM will prompt you for biometric authentication before providing those credentials to third-party apps. setting → Passwords, passkeys, and autofill → Google → settingHowever, Chrome tends to override this setting, leveraging its tight integration with the Google ecosystem.
Google has posted some changes that simplify creating passkeys in GPM from devices other than your main Android phone, including via Chrome: Separately, Chrome feature researcher @Leopeva64 at X (formerly Twitter) has found evidence suggesting that Google may be able to authenticate sign-ins in the browser using biometrics like it does in all other apps.
A new flag paves the way for change
Typically, new Chrome features are seen in the Canary version, but the Android app now has a flag that makes it mandatory to verify your biometric ID before entering your password. Interestingly, the flag's description says that the fingerprint prompt will only appear if “your phone is in an untrusted location.” That's not terribly useful, but it could provide additional protection for your credentials in public places, such as when connecting to a guest Wi-Fi network.
chrome://flags/#BiometricIDCheck
Leopeva64 points out that this flag was available in Chrome a few years ago but was mysteriously removed, even though competing browsers bypass the system-level setting and properly handle autofill requests without first prompting for biometric authentication. Hopefully, this change will be integrated into the stable version in a future update.