Google has launched a new feature called Identity Check for supported Android devices that locks sensitive settings behind biometric authentication when outside of trusted locations.
“When you turn on Identity Check, your device will require explicit biometric authentication to access certain sensitive resources when you’re outside of trusted locations,” Google said in a post announcing the move.
In doing so, biometric authentication will be required for the following actions –
- Access saved passwords and passkeys with Google Password Manager
- Autofill passwords in apps from Google Password Manager, except in Chrome
- Change screen lock, like PIN, pattern, and password
- Change biometrics, like Fingerprint or Face Unlock
- Run a factory reset
- Turn off Find My Device
- Turn off any theft protection features
- View trusted places
- Turn off Identity Check
- Set up a new device with your current device
- Add or remove a Google Account
- Access Developer options
Identity Check is also designed to turn on enhanced protection for Google Accounts to prevent unauthorized individuals from taking control of any Google Account signed in on the device.
The feature is currently limited to Google’s own Pixel phones with Android 15 and eligible Samsung Galaxy phones running One UI 7. It can be enabled by navigating to Settings > Google > All services > Theft protection > Identity Check.
The disclosure comes as Google has been adding a steady stream of security features to secure devices against theft, such as Theft Detection Lock, Offline Device Lock, and Remote Lock.
Google also said it has rolled out its artificial intelligence-powered Theft Detection Lock to all Android devices running Android 10 and later across the world, and that it’s working with the GSMA and industry experts to combat mobile device theft by sharing information, tools and prevention techniques.
The development also follows the launch of the Chrome Web Store for Enterprises, allowing organizations to create a curated list of extensions that can be installed in employees’ web browsers and minimize the risk of users installing potentially harmful or unvetted add-ons.
Last month, a spear-phishing campaign targeting Chrome extension developers was found to have inserted malicious code to harvest sensitive data, such as API keys, session cookies, and other authentication tokens from websites such as ChatGPT and Facebook for Business.
The supply chain attack is said to have been active since at least December 2023, French cybersecurity company Sekoia said in a new analysis published this week.
“This threat actor has specialised in spreading malicious Chrome extensions to harvest sensitive data,” the company said, describing the adversary as persistent.
“At the end of November 2024, the attacker shifted his modus operandi from distributing his own malicious Chrome extensions via fake websites to compromising legitimate Chrome extensions by phishing emails, malicious OAuth applications, and malicious code injected into compromised Chrome extensions.”
