As Chrome users, we are all familiar with its built-in password manager and how handy it can be for auto-filling saved passwords for us without much fuss. Although many may opt for a more feature-rich third-party solution, Google’s first-party offering stores your credentials in your Google Account and, as long as you are using the Chrome browser, can be used on any device you choose. Google calls this service the Google Password Manager.
In the past few months, Google Password Manager has gained new features that other paid services already offer, such as the ability to manually add a website password without being prompted by that site and the ability to add notes to saved passwords that can contain hints or relevant information. Add that to its existing Password Checkup feature, and you have a compelling reason for letting Chrome handle your password management needs, but Google isn’t done.
On-Device Encryption on Android, iOS, and Chrome
The Tech industry is shifting its views on passwords. It is inevitably moving to more convenient and secure password-less FIDO sign-in standardssuch as Apple and Microsoft do with “passkeys.” Google is implementing its version of passkeys by utilizing several methods, one of which is On-Device Encryptionwhich has already begun to roll out.
Today, when Chrome saves your password, it uses “standard password encryption,” which google explains stores your encryption key in your Google account. To unlock it, you simply need to enter your Google account password plus any 2-step verification method you have set up. Google then uses this key to decrypt your password and log you in.
The upcoming on-device encryption will differ in that your passwords can only be unlocked on your device using your Google account password or biometrics. As your device is now your key to unlock your passwords, this ensures that only you will be able to see them. Once you set up on-device encryption, it cannot be removed, and according to Google, “Over time, this security measure will be set up for everyone to help protect password security.”
According to 9to5Google, users can already initiate the process to set up on-device encryption via the desktop or mobile Chrome browser as well as the Password Manager website or built-in Android experience (more on that below). However, it is not yet widely rolled out on the web, and on mobile, they’ve only encountered it on Chrome Beta (version 103).
Home Screen Shortcut and built-in Android experience
In order to tie in on-device encryption with Android, Google is also rolling out a new built-in experience to access your passwords. You could always access the Google Password Manager in Chrome by navigating to passwords.google.com and from your Android device’s Settings> Privacy> Autofill service from Google> Passwords menu. However, Google is now making it easier to access the native Password Manager experience on Android without fumbling through all your menu options by providing an easy-to-setup shortcut that you can add to your home screen.
To set up the Password Manager shortcut on your Android device, first, make sure you have the June update of Google Play Services, which is required for this to work. Next, go to your device’s Settings> Privacy> Autofill service from Google> Passwords menu and tap on the settings gear from the Password Manager. From there, scroll down until you see a widget that allows you to “add a shortcut to your home screen” and proceed to add the shortcut. You can now access the Google Password Manager at any time using that shortcut, which will use your device’s biometrics or screen lock for authentication.
Default Status starting with Android Chrome 103
Finally, as spotted by 9to5, Google will be replacing the standard password manager on Android Chrome with the more robust and native-looking Google Password Manager. They are essentially the same thing, except the UI looks more like an Android app rather than an embedded webpage look you get when you browse to passwords.google.com. Granted, it is still the same back end, but it is one step further into tying it in all of Android, including Chrome, when it comes time to enable on-device encryption.
If you’d like to check if on-device encryption has been rolled out to your account on the web, go to passwords.google.com and click on Settings. If available, you should see an option to “Set up on-device encryption.” Similarly, you can check on your Android device by opening Password Manager, tapping Settings, then looking for the on-device encryption option.
As mentioned earlier, once you set up encryption, you will not be able to turn it off. Additionally, if you lose your Google password and do not have access to any of the devices you are signed in to your Google account, you risk losing all your passwords. That said, this is something we will all eventually have to set up, as it will at some point become the default authentication method for most platforms.