Reshaping user authentication and identity verification

Stay organized with collections Save and categorize content based on your preferences.

Ashima Arora

Chirag Desai

Eiji Kitamura

This year at Google I/O, we shared how Chrome is reshaping user authentication and identity verification on the web with the power of the browser API. Whether you're using passwords, passkeys, or federation, Chrome will offer a unified sign-in and sign-up experience that's simpler, safer, and more user-friendly.

Discover the latest tools and best practices to enhance sign-up and sign-in on your website.

See the session's page or keep reading to learn more about the key highlights.

The browser as your sign-in ally

Authentication on the web is evolving. With increasing user expectations, new regulations, and a growing ecosystem of digital identity tools, developers need to offer sign-in and sign-up flows that are secure, seamless, and privacy-preserving. Chrome is here to help.

There are three major focus areas:

• User authentication: Helps you support strong sign-in flows with better password management, easier passkey adoption, and built-in support for Identity Federation through federated credential management (FedCM).
• Identity verification: Lets you request verified user details, like age or ID ownership, using digital credentials from mobile wallets.
• Session management: Helps you protect users after sign-in by binding sessions to their device with Device Bound Session Credentials.

Explore the tools and APIs that make all this possible.

Credential manager for the web: One sign-in UI for all your credentials

Signing in should be convenient. But with passwords, passkeys, and federated options all in play, users often face a confusing mix of choices.

Chrome is extending the Credential Manager API, letting you request credentials from the browser, regardless of type, using one consistent interface. If credentials are available from a password manager, Chrome will display them to the user in a single dialog, reducing complexity for the user.

If Chrome doesn't find credentials, we'll let you know and you can fall back to your own sign-in flow.

This new experience reduces friction and makes sign-in feel more seamless.

This feature is in developer trials. You can start using it locally by enabling the chrome://flags#enable-experimental-web-platform-features flag, including both password credential and publicKey credential, and using mediation: "immediate" to enable immediate mediation.

The following code snippet shows you how it should look:

const cred = await navigator.credentials.get({
  password: true,
  publicKey: {
    challenge,
    rpId: 'example.com'
  },
  mediation: 'immediate',
});

Learn more in our document about Testing Immediate Mediation on Chrome.

Passwords: smarter and safer

Passwords are still the world's most common authentication method. Browsers and password managers offer tools to make the sign-in experience better with passwords, but sites don't always adopt them.

Chrome supports safer practices with features through Google Password Manager like password generation on sign-up forms or password breach checks to warn users of compromised credentials.

Here are a few tools to improve the experience of using passwords on your site.

Automated password change: Fix compromised passwords in one click

Launching later this year for some websites, Automated password change makes it easier for users to respond when their credentials are at risk.

When Chrome detects a compromised password during sign in, Google Password Manager prompts the user with an option to fix it automatically.

On supported websites, Chrome can generate a strong replacement and update the password for the user automatically.

This reduces friction and helps users to keep their account secure, without hunting through account settings or abandoning the process partway.

There are things you can do to optimize your website to work hand in hand with browsers and password managers.

• Autocomplete optimization: Use autocomplete="current-password" and autocomplete="new-password" to trigger autofill and storage. See our sign-in and sign-up guides.
• Change password URLs: Make a redirect from <your-website-domain>/.well-known/change-password to the password change form on your website (well-known change password URL). When a vulnerable password is detected, password managers can navigate the user to the change password page.

Seamless credential sharing: One sign-in across app and web

Password managers do more than just store passwords. They help prevent phishing by only offering credentials when the domain matches. But users can still run into problems when your service spans multiple domains and platforms.

For example:

• A user signs up in your Android app and later visits your website on a laptop
• Or you offer multiple domains or apps that accept the same login

Without a shared credential, we won't offer a saved password, so users may struggle to struggle to sign in.

Seamless credential sharing helps fix this. By associating your apps and sites, Google Password Manager can seamlessly share the password across those assets, resulting in a smoother and streamlined sign-in experience.

eBay increased their successful sign-in rate by 10%. Learn more from a case study: How eBay improved login success rates by 10% with seamless credential sharing.

Passkeys: A simpler, more secure sign-in method

Passkeys are a stronger alternative to passwords that help users safely sign in to websites and apps with their device unlock mechanism such as biometrics (for example their fingerprints or face), a PIN, or a pattern. They're phishing-resistant, user-friendly, and are a widely adopted standard across browsers and operating systems.

Sync passkeys across platforms

Users store passkeys in their password manager, but some managers don't sync them. This can cause friction if a user tries to sign in from a device where the passkey isn't available. In that case, Chrome shows a QR code so the user can complete sign in from another device that holds the credential.

To reduce this friction, Chrome added passkey sync support in Google Password Manager.

With support now extended to iOS, passkeys on Google Password Manager can sync across all major platforms, including Android, Windows, macOS, ChromeOS, and Linux. Learn more in the Supported environments article.

Immediate mediation: request only available credentials

Some users don't have synced passkeys on every device. If a passkey isn't found locally, Chrome may show a QR code so the user can use another device that holds the credential. This works, but it can add friction.

To reduce that friction, Chrome supports a new option: mediation: 'immediate'. This enables your site to request only credentials that are already available on the current device. If none are found, the user sees nothing. No prompts, no QR codes, no interruptions. Chrome lets you know so you can show your usual sign-in UI instead.

This improves the experience by avoiding QR-code flows for users without credentials.

Use this approach when a user performs any meaningful action, like clicking a Sign-in or Checkout button. When you use navigator.credentials.get() with mediation: 'immediate', if a passkey is available on the current device, Chrome prompts the user immediately. If not, the user continues without disruption, and you can show a password field, one-time code, or another method.

You can also increase your chances of helping the user sign in by setting password: true. This allows Chrome to return saved passwords alongside passkeys, if available.

The following example shows how to request a passkey with immediate mediation:

navigator.credentials.get({
  publicKey: {
    challenge: new Uint8Array([/* your challenge here */]),
    rpId: 'example.com'
  },
  mediation: 'immediate',
  // password: true <== enable this to request passwords alongside passkeys
}).then(credential => {
  // Use the credential for sign in
}).catch(error => {
  if (error.name === 'NotAllowedError') {
    // No credential found on this device, fall back to another method
  } else {
    console.error('Error during sign-in', error);
  }
});

This feature is in developer trails and you can learn more about it in the WebAuthn immediate mediation explainer.

Automatic passkey creation

Many users still sign in with passwords. To help them adopt passkeys, Chrome introduces an API that helps you create a passkey for your users, automatically, after a successful password sign in.

All you need to do is to request passkey creation. If the user has a saved password that was used recently, the password manager creates a passkey and lets you know if this was successful. The user may receive a notification once the passkey is available. This does not delete the user's password.

If the passkey is not created, the browser won't disrupt the user or show any UI.

This allows users to adopt passkeys gradually, without interrupting their sign-in flow.

This feature is available from Chrome 136 and you can learn more about it in the Help users adopt passkeys more seamlessly article.

Clean up passkeys with the Signal API

If a user deletes a passkey from your site or app, their password manager may still offer it during sign in causing them failures and confusion. The Signal API lets your app notify the password manager when a passkey has been removed, keeping credential lists clean and accurate.

You can also help to keep passkeys up to date by sending a list of known passkeys to the password manager. This lets it clean up any unused passkeys for the user.

Signal API is available starting from Chrome 132. Learn more in Keep passkeys consistent with credentials on your server with the Signal API.

Import and export: Bring your credentials with you

Users switching between password managers often struggle to transfer their credentials. Chrome is adding support for import and export of passkeys and passwords, based on FIDO standards. No file handling is required by the user.

Autofill enhancements

To show stored credentials in a user-friendly way, Chrome can automatically show the autofill drop-down when the sign-in form is ready. Just support both passwords and passkeys in your form and apply autofocus to the input field.

This is helpful because credentials are shown without requiring the user to click a field. Instead the user can just tap on the credential they want to use, reducing friction.

Learn more in the Sign in with a passkey through form autofill article.

Updated learning resources

We've overhauled our passkey learning resources to make sure you can provide the best possible passkey experience to your users.

• Create a passkey for passwordless logins
• Sign in with a passkey through form autofill
• Help users manage passkeys effectively

FedCM: Improving federated identity

The Federated Credential Management API (FedCM) lets users sign in with trusted identity providers using a browser-mediated flow that puts privacy and user experience first. FedCM helps simplify sign up and sign-in experiences on the web, so developers can support seamless authentication with less effort.

Smarter UI

FedCM now gives you more control over how and when the sign-in prompt appears. It supports two modes:

• Passive mode: The browser automatically shows the sign-in prompt for known identity providers when users return to your site. This works well for familiar users but can feel intrusive if shown too early.
• Active mode: The prompt appears only after the user clicks a sign-in button, creating a more deliberate experience.

This is important because it reduces confusion and avoids surprising users. With active mode, users can stay on your site and never see a redirect or other dialogs.

But Chrome is also working on making passive mode smarter. Future updates will experiment with machine learning techniques that incorporate site and user signals to determine when and how to show the UI to provide an optimal user experience.

More flexible APIs

FedCM gives you more flexibility and control over how users sign in with federated identity.

For example, multiple identity provider support lets you show your users a list of providers instead of only one. This means users can choose the account that works for them and improves sign-in rates while maintaining strong user privacy.

The browser still mediates every step. Identity providers only see what users explicitly allow, and privacy stays protected throughout the flow.

Digital credentials: Fast, private ID verification online

Digital credentials are becoming more common worldwide. They let users verify attributes like age, student status, or identity through a digital wallet. The Digital Credentials API lets users share verified claims, such as age or license status, from their mobile wallet directly with websites.

We're working with W3C and industry leaders to make this a standard. Our goal is a user-friendly, secure, private, and consistent experience across platforms.

Some interesting features:

• Cross-device support. Users can present credentials securely from any device.
• Selective disclosure. Users can confirm details like "over 18" without revealing unnecessary information.
• Verifiable information. The issuer digitally signs the data, allowing for straightforward verification.
• Issuance. We are working on extending the Digital Credentials API to allow users to provision these credentials to their wallet app.

Device Bound Session Credentials: Stay signed in, stay protected

User sessions are frequently identified by their cookies, which malware could steal from a user's device.

Device Bound Session Credentials links a session to a specific device. This reduces the risk of session hijacking and improves protection when you are logged in to your email or social media accounts or accessing government services.

DBSC helps developers create more secure, stable sessions by tying authentication to the device used during sign in.

Feedback

We'd love your feedback on everything we shared. Try out the features, explore the links in this document, and tell us what you think.

Give feedback