Google Smart Lock: Saving users from entering passwords and reducing app support costs

Say goodbye to individual app passwords with Smart Lock: Netflix, The New York Times and others have already integrated it into their Android apps.

Google Smart Lock.png

This weekend I wiped and set up an Android phone, finding a nice little surprise: I didn't have to sign in to Netflix after installing it. That was welcome but a head-scratcher because I didn't know why it happened.

Then I remembered: Google launched its Smart Lock feature earlier this year and mobile app developers are starting to take advantage of it.

The Smart Lock API uses the Google Identity Platform so that developers can authenticate users through a centralized service. That means instead of entering IDs and passwords for every single app, Android can simply authenticate people for apps.

Netflix is one of about 40 companies using Smart Lock, which explains why I didn't have to enter my Netflix credentials. Not only was it easier for me, it's better for Netflix too according to Google, which says Netflix has seen a 20 percent reduction in support cases for account issues from its Android app users.

Better yet, Smart Lock works across Chrome and Android; I didn't try it yet but I'm betting that if I open Netflix on a Chromebook, I'll simply be signed in thanks to the service. Netflix says more than 30 percent of its users don't have to enter passwords on Android devices but it's not the only big name using the service: The New York Times now sees 80 percent of its new sign-ins working through Smart Lock on Android.

Google just announced some Smart Lock enhancements that will help both developers and users as well. Those with with multiple accounts - say for personal, work and school - can select which to use for Smart Lock on an app-by-app basis. That's helpful for those that use different apps in the office compared to apps for personal use, for example.

And Google is working to make Smart Lock a complete authentication replacement so that passwords can eventually be skipped outright:

"[I]f the user chooses a Google account from the dialog, an OpenID Connect ID Token is provided. This can save your app from having to verify email addresses for new accounts or skip the password altogether for returning users. ID tokens are also used by Google Sign-In to authenticate in place of a password, and are a strong assertion from Google that the owner of the given email address is present. If users on your site recover their passwords by email, then an ID token from Google is giving you the same assertion that the user owns the email address and is signed in to this device with that email address. You can also consider presence of ID token in addition to the password a signal to prevent password cracking and abuse."

Ideally, anything that can eliminate friction for app authentication is a win-win, provided it offers appropriate security.

The Android phone I'm currently using doesn't have a fingerprint scanner, which is perfect for this scenario. Since I can't use a fingerprint, Smart Lock may be the next best thing.