Google will soon fix a security loophole in Chrome’s password autofill

Manually entering passwords is a pain, which is why many people use autofill services bundled with password managers to save time. For better security, you should require biometric authentication before autofilling passwords. This prevents thieves who steal your phone from signing into accounts that aren’t already logged in. Unfortunately, Google Chrome on Android currently autofills passwords without any form of authentication, but that will soon change.

If you use Google Password Manager, you may have noticed the “Authenticate with biometrics before filling passwords” option under Settings > Google > Autofill with Google > Preferences. As its name implies, this setting prevents Google Password Manager from autofilling passwords until you verify your identity with your face or fingerprint. Unfortunately, this protection only applies to apps and doesn’t work in web browsers like Google Chrome, even though Chrome uses the same autofill service by default.

Fortunately, Google is finally addressing this long-standing oversight. Telegram user Micha told us the “authenticate with biometrics before filling passwords” option has disappeared from their Autofill with Google preferences. Instead, they now see a new “Verify it’s you to autofill passwords” option at the bottom of Google Password Manager’s main settings page. Although the toggle has been relocated and renamed, it provides the same protection. However, its new description contains a promising detail:

“For added protection, always use your fingerprint, face, or other screen lock when you sign in using autofill (coming soon to Chrome)”

My colleague Hadlee Simons also has this new toggle, so he shared the following screenshot with me:

This description confirms that Chrome will soon require your fingerprint, face, or screen lock to autofill passwords. While it’s unclear whether this single setting will apply to Chrome or if the browser will get its own toggle, this is a much-needed security improvement.

Back in October, we reported that Google Chrome would block password autofills if your phone is stolen. That protection builds on Android’s Identity Check feature, which forces biometric authentication when your phone is in an untrusted location. While Google has yet to integrate Identity Check into Chrome, the new toggle we’ve spotted seems to enable a broader protection that applies regardless of your phone’s location.