Google Chrome will soon block password autofills if your Android phone gets stolen

Your Android phone likely has a ton of sensitive personal, medical, and financial data on it, making it a prime target for thieves. That’s why you should enable the theft protection features that Google just rolled out so thieves can’t keep your phone unlocked after stealing it. If Android’s theft protection fails to lock your phone after it’s been stolen, though, then there’s still some hope that you can secure your data. That’s because apps like Google Chrome will be able to protect your data even if a thief who knows your screen lock steals your phone.

Currently, if a thief peeks over your shoulder and sees you enter your phone’s lock screen PIN, pattern, or password before snatching it, they can not only unlock your phone anytime they want but also get access to many of your most sensitive apps. This is because many apps that ask you to authenticate yourself before you can access certain data let you enter your lock screen PIN, pattern, or password instead of using biometrics like your face or fingerprint. Not all apps do this, but those that do are vulnerable to being cracked by thieves who shoulder surf before stealing a phone. This is a problem that Android’s upcoming Identity Check feature hopes to solve.

Identity Check is basically Android’s version of Apple’s Stolen Device Protection. When Identity Check is enabled, it forces you to use your biometrics to unlock apps, even if those apps ordinarily allow your lock screen PIN, pattern, or password alone. Google announced Identity Check last week and said that it would require the use of biometric authentication when “accessing critical Google account and device settings, like changing your PIN, disabling theft protection, or accessing Passkeys from an untrusted location.” While Google didn’t share many more details beyond that, we’ve seen evidence that not only will Identity Check secure some sensitive data in Google Chrome for Android, too, but that the feature will only work on the next release of Android 15.

Last month, frequent Chrome tipster Leopeva64 discovered a set of code changes in the Chromium Gerrit tagged “idcheck.” He discovered that one of the code changes added a new Chrome flag that “enables android identity check for eligible features.” The flag’s description says that “the feature makes biometric reauthentication mandatory before passwords filling or before other actions that are or should be protected by biometric checks.” After learning that these code changes were tagged “Identity Check,” I decided to dig a bit deeper to see if these Chrome changes are related to the Android Identity Check feature that I discovered a week prior. As it turns out, the Google Chrome team is preparing to support the very same feature.

In one code change, the Chrome team added a new GetBiometricAvailabilityStatus method that returns kRequired if Identity Check is turned on (meaning biometric authentication will be mandatory), kAvailable if biometric authentication is available but optional, kAvailableLSKF if biometric authentication isn’t available, and kUnavailable if there’s no available device authentication method. This method is being added to various parts of Chrome’s codebase, such as the code for Chrome’s password autofill feature. It’s also being added to code relating to payment methods, sync settings, and incognito mode, suggesting that Chrome might require biometric authentication to access these settings as well when your phone is outside of a trusted location.

The new Chrome code confirms that Identity Check will only be available on devices running the upcoming December 2024 release of Android 15, i.e. Android 15 QPR1. One code change explicitly mentions that the MandatoryAuthenticatorControllerImpl “will be instantiated only on Android version V and higher.” (The V refers to Vanilla Ice Cream, the dessert code-name of Android 15.) MandatoryAuthenticatorControllerImpl helps set “the mandatory authentication bit in the biometric prompt which should restrict it from falling back to pin or pattern,” and in it, a comment explicitly states that “Identity Check is not in effect” if “the build is not V-QPR1+.” Thus, Identity Check will only be available in Android 15 QPR1 or later, which lines up with our original report on the feature.

Google hasn’t confirmed that Identity Check will require Android 15 QPR1, but all signs point towards that being the case. It also hasn’t shared how the feature works, but from what we can tell, Google will roll out a server-side update to the Google Play Services app that will add a new “mandatory biometric” setting.

Turning this on will opt you into Identity Check, which will then force apps to only accept biometric authentication. Although Google Chrome is preparing to add support for Identity Check, it won’t roll out until the “mandatory biometric” setting is available, which will likely happen in December with the release of Android 15 QPR1.