Google Authentication and Authorization Solutions

Select

Part Two Session

‣

Google’s Password Guardian

Google Password Manager is a built-in service that securely stores and autofill's your passwords across Chrome and Android devices. It helps manage, generate, and sync credentials linked to your Google Account.

Chrome stores passwords locally in a file named Login Data found in the hidden AppData path on Windows: C:\Users\YourName\AppData\Local\Google\Chrome\User Data\Default. This file is an SQLite database where only passwords are encrypted; other data like usernames and URLs are readable. Encryption is based on Triple-DES encryption, which is a very strong one tied to your Windows login password. This ensures only someone with access to your Windows credentials can decrypt saved passwords.

If Chrome sync is enabled, passwords are also stored in your Google Account via the Google Cloud. You can access, manage, delete, or export these through the Google Password Manager website. Syncing requires signing into Chrome and activating the sync feature. This dual storage system local and cloud offers both accessibility and a backup

Where Your Chrome Passwords Really Go

If you sign in using your username and password but don't save them in the password manager, they are not automatically saved in the database. Chrome's Login Data file (the SQLite database) only stores credentials you explicitly choose to save. Your login is session-based and won't persist after the session without saving.

On a device with multiple Chrome profiles for different Google accounts, each profile maintains its own local Login Data file for passwords and Browse history. When sync is enabled for each account, their respective passwords are also stored in separate, independent databases within the Google Cloud.

If a user opens Chrome without signing into a Google account, it's a regular local profile, not guest mode. In this case, passwords can be saved locally on the device but won’t sync with Google Password Manager. Guest mode, however, does not save any passwords or data at all. Everything in guest mode is deleted once the session ends.

Exploring the Credential Manager API

The Credential Manager API (specifically for Android) is a unified API for developers to easily integrate various sign-in methods like passwords, passkeys, and Sign in with Google into their apps. For users, it provides a consistent, native bottom sheet UI to choose how they want to log in, simplifying the authentication process.

This lets you log in to apps and websites without entering credentials each time. You can view and manage saved passwords under Settings → Google → Autofill → Password Manager, with all credentials synced across your browser and apps in one place.

How Password Managers Handle Various Sign-In Options

When an application uses the Credential Manager API, and your device has multiple accounts saved for that specific application, each with different sign-in methods (like a traditional password, a passkey, or an Identity Provider (IdP) like (Sign in with Google), these options will typically be presented to you in a native user interface (UI) at the bottom of the screen ..

This is where the Google Credential Manager API comes in it detects and displays the exact sign-in method you previously used for that service when you click sign-in.

It doesn’t reveal any passwords; instead, it simply notifies you and redirects you to the correct sign-in method.

For now, the Credential Manager API is available on Android devices, with plans to expand support to Chrome in the future.

Elevating Your Security: Google's Smart Password Management

Google offers tools to generate strong, unique passwords that are hard to guess or break using brute-force techniques. These passwords are usually lengthy and include a combination of uppercase and lowercase letters, numbers, and special characters. This complexity helps protect against common attack methods, including those using OSINT to connect your credentials with publicly available personal information.

Google Secures and Autofill's Your Passwords

Google also actively monitors for compromised passwords, alerting you if any of your saved credentials have been exposed in a data breach.

This year, Google plans to introduce an automated password change feature. This will use AI to automatically update passwords for accounts detected to have compromised credentials, further enhancing your online security.

Once created, these strong passwords are securely saved within Google Password Manager. They are then automatically filled in for you on the specific websites they were created for.

<label for="pswd1">Current password</label>
<input type="password" id="pswd1" autocomplete="current-password">

<label for="pswd2">New password</label>
<input type="password" id="pswd2" autocomplete="new-password">

<label for="pswd3">Confirm password</label>
<input type="password" id="pswd3" autocomplete="new-password">

Password managers use the autocomplete="current-password" attribute to recognize and autofill the user's saved current password securely. Labels linked to inputs via the for and id attributes improve field detection, making it easier for password managers to identify and manage password fields correctly.

The autocomplete="new-password" attribute tells the browser or password manager that the input is for creating or updating a password. It helps by Preventing autofill of the current password in new/confirm fields, Prompting the user to generate or save the new password securely for future logins.

Credentials Without the Repetition

Password managers save and autofill credentials based on the exact domain (including protocol and subdomain). For example, Passwords saved for semo.com won’t autofill on semo.org because they are different domains, Autofill works only on the same domain or exact matches to prevent credential leakage across unrelated sites, For that reason we have a solution, you need to host a properly formatted assetlinks.json file on your server under https://yourdomain.com/.well-known/assetlinks.json This is called the Digital Asset Links

Digital Asset Links is a security mechanism that lets a website prove ownership or association with an Android app by publishing a JSON file on its domain. This file declares trusted relationships, enabling features like seamless app linking, secure data sharing, and verifying that an app and website belong to the same entity. It helps prevent spoofing and phishing by ensuring only authorized apps can interact with the website’s content or claim its identity.

[
  {
    "relation": ["delegate_permission/common.get_login_creds"],
    "target": {
      "namespace": "web",
      "site": "https://semo.org"
    }
  },
  {
    "relation": ["delegate_permission/common.get_login_creds"],
    "target": {
      "namespace": "web",
      "site": "https://semo.com"
    }
  },
  {
    "relation": ["delegate_permission/common.get_login_creds"],
    "target": {
      "namespace": "android_app",
      "package_name": "com.semo.mobile",
      "sha256_cert_fingerprints": [
        "DE:AD:BE:EF:12:34:56:78:9A:BC:DE:F0:12:34:56:78:9A:BC:DE:F0:12:34:56:78:9A:BC:DE:F0:12:34:56:78"
      ]
    }
  }
]

This JSON file (assetlinks.json) enables seamless credential sharing between a website and mobile apps via Android Credential Manager, The relation key with "delegate_permission/common.get_login_creds" allows trusted apps or websites to request stored login credentials, The target defines the trusted party either a website (namespace: "web") or an Android app with a package name and certificate fingerprint.

This setup ensures that only verified apps/sites can access credentials tied to the user’s identity on that domain, When Credential Manager checks for autofill permissions, it reads this file to confirm if autofill can be shared across those domains and apps, If a relationship is established via "delegate_permission/common.get_login_creds", autofill credentials can be shared seamlessly between the related sites and apps.

This enables autofill for multiple domains under your control without the user needing to enter passwords repeatedly, This minimizes phishing attempts because only the trusted website will have passwords autofilled, preventing fake sites from capturing user credentials.

You can generate the Digital Asset Links JSON file using the Google Play Console (Android app creators upload and manage their apps on Google Play Store) for your Android app, then host this assetlinks.json file at https://yourdomain.com/.well-known/assetlinks.json on your website. This setup verifies the trust relationship between your app and website under your domain.

by hosting a JSON file (assetlinks.json) at a well-known location. Both the app and the website must publish matching statements to establish mutual trust.

The Magic of Passkeys

Passkeys is a combined system of cryptographic keys represent the next generation of online authentication, offering both enhanced security and greater convenience compared to traditional passwords. Signing in with a passkey is as easy as choosing your account and confirming with a face scan, fingerprint, or PIN no need to type usernames, enter passwords, copy codes from SMS, or click email links. Many apps have seen sign-in times cut in half (50%) after adopting passkeys.

Passkeys are stored in the password manager, but not all password managers sync them. This creates a challenge if passkeys are not synced, accessing a website that requires a passkey not available on the current device means you must scan a QR code with a device that has the passkey. This process can be difficult and inconvenient.

This year Google has integrated passkey synchronization into its Password Manager, allowing users to save and use passkeys across devices running Chrome on Windows, macOS, Linux, and Android. This integration simplifies the authentication process and enhances security by eliminating the need for traditional passwords, this limit the user of the QR code scan but may still be presented

They aren’t shared with websites, making them safe even if a site is hacked. With passkeys, users can log in quickly using biometrics or a PIN no more typing, remembering, or waiting for codes.

The Tech Behind Passkey Authentication

Android Keystore a secure container within an Android device that stores cryptographic keys, The Android Keystore provides a secure way to manage cryptographic keys on Android devices. It achieves its strongest security by leveraging hardware-backed components like the Trusted Execution Environment (TEE) or Secure Element (SE). These components act as a mobile equivalent of a TPM, protecting keys from software attacks and unauthorized access.

When you visit a website that supports passkeys for the first time and choose to create a passkey
Your biometrics (like fingerprint or face scan) are used to authorize the creation of the key pair and protect access to the private key but they are never sent to the website.
Your device (e.g., Android phone, Chromebook ) generates a new asymmetric key pair, A private key, securely stored in the device (e.g., Android Keystore, A public key, which is sent to and stored by the website.
When you return to log in, The website sends a challenge to your device, Your device uses your stored private key to sign the challenge, but only after confirming your identity locally via biometrics or PIN.
The signed challenge is sent back to the website, The website verifies it using the public key it already has, confirming it’s really you.

The application knows which user a request belongs to because it stores each user’s public key linked to their account. When the user tries to log in, they provide an identifier like a username. The server then uses this identifier to find the correct public key and verify the signed challenge from the user’s device.

Even if a website gets hacked, your private key is never exposed because it never leaves your device. The hacker would only have the public key (which is useless on its own for authentication). This makes passkeys far more secure than traditional passwords, which can be stolen, guessed, or reused across different sites.

The passkey's private key is indeed saved locally on the device within the Android Keystore, specifically in secure hardware like the TEE or SE. You cannot directly see this private key. The public key is stored by the online service (server). Biometrics (fingerprint, face scan, or PIN) are used to authorize the use of this private key for authentication. The private key itself remains on the device and is never shared directly with Google. Instead, the Google Password Manager securely syncs an encrypted form or reference of the passkey across your multiple signed-in devices and browsers, enabling seamless access and usage without exposing the sensitive private key.

Strategies to Get Users Onboard

This year, we will be introducing an API that automatically requests the user’s password manager to create a passkey. This process will work as long as the user has signed in to the site recently using a password.

It’s recommended to make this API call after the user has successfully logged in with their password, and once that’s done, make the passkey available in Chrome 136 all Desktop paltforms .

Auto-Import Your Credentials

We can import passwords from another password manager without needing to download a file and manually import it into Google Password Manager. This is achieved through auto-detection on the same Android device. The device will detect the other password manager, and then automatically migrate all the passwords and passkeys to Google Password Manager.

The device detects other password managers through system-level APIs and integrations that allow apps to query installed password management apps.

Keys to the Digital Kingdom

Google Wallet is a digital wallet app that securely stores and manages various types of digital credentials, such as credit/debit cards, boarding passes, event tickets, and government-issued IDs (like digital licenses). It allows users to access their credentials instantly via their mobile device, making transactions and identity verification easier and more secure.

For example, if an application requires users to verify they are over 21, they can provide this identity via Google Wallet, where their digital license is securely stored.

A Google Wallet Guide

Download the app from the Play Store and set up your account.
Ensure your state or country supports digital IDs in GoogleWallet (e.g., Arizona, Colorado).
Open Google Wallet, tap the "+" icon, and select "Add driver’s license or ID."
You select your state or the organization that issued your ID
Google Wallet sends your request to the issuer to verify that the ID is legitimate and matches the records in their system.
The issuer confirms your identity, either by scanning your physical ID, using biometric data (like facial recognition), or through another secure method.
Once the verification is successful, your state ID or driver’s license is added to Google Wallet.
Once added, these credentials can be accessed and used for verification or other purposes within apps and websites.