Google has unveiled a new security feature called Identity Check, designed to protect sensitive settings on supported Android devices by locking them behind biometric authentication when users are outside of trusted locations. The feature aims to enhance device and account security, especially in situations where unauthorized access could compromise critical settings.
“When you turn on Identity Check, your device will require explicit biometric authentication to access certain sensitive resources when you’re outside of trusted locations,” Google explained in its announcement.
Biometric Protection for Critical Actions
The Identity Check feature introduces a robust layer of security by mandating biometric authentication for specific actions, which include:
- Accessing saved passwords and passkeys in Google Password Manager.
- Using autofill passwords in apps from Google Password Manager (excluding Chrome).
- Modifying screen lock settings such as PIN, pattern, and password.
- Changing biometric options like Fingerprint or Face Unlock.
- Running a factory reset.
- Turning off Find My Device and other theft protection features.
- Managing trusted locations and disabling Identity Check.
- Setting up a new device with the current one.
- Adding or removing a Google Account.
- Accessing Developer options.
This feature also activates enhanced protection for Google Accounts, preventing unauthorized users from taking control of accounts logged into the device.
Availability and Activation
Currently, Identity Check is exclusive to Google Pixel devices running Android 15 and eligible Samsung Galaxy phones with One UI 7. Users can enable the feature by navigating to:
Settings > Google > All services > Theft protection > Identity Check.
The rollout is part of Google’s broader effort to enhance device security, complementing existing features such as Theft Detection Lock, Offline Device Lock, and Remote Lock.
Expanding Theft Protection Tools
Google has also extended its AI-powered Theft Detection Lock to all Android devices running Android 10 or later globally. This tool, developed in collaboration with the GSMA and industry experts, aims to combat mobile theft through shared information and prevention techniques. These advancements reflect Google’s commitment to improving device security across the Android ecosystem.
Tackling Chrome Extension Threats
In addition to mobile security, Google is addressing cybersecurity risks in web browsers. The company recently launched the Chrome Web Store for Enterprises, enabling organizations to curate lists of approved extensions. This initiative reduces the likelihood of employees installing harmful or unverified add-ons.
Concerns about browser extension security are particularly timely following revelations about a spear-phishing campaign targeting Chrome extension developers. This campaign, identified by French cybersecurity firm Sekoia, injected malicious code into legitimate Chrome extensions. The attack compromised sensitive data, including API keys, session cookies, and authentication tokens for platforms such as ChatGPT and Facebook for Business.
Sekoia’s analysis highlighted the persistence of the threat actor, who shifted tactics in late 2024 from distributing malicious extensions via fake websites to compromising legitimate ones. The shift involved phishing emails, malicious OAuth applications, and injected code, further illustrating the sophisticated strategies employed by cybercriminals.
Implications for Users and Enterprises
These developments underline the growing importance of securing digital devices and accounts in an era of increasing cyber threats. Google’s Identity Check and Theft Detection Lock are timely responses to the rising risk of mobile theft and unauthorized access. Meanwhile, enterprise tools like the Chrome Web Store for Enterprises aim to protect organizations from vulnerabilities introduced through browser extensions.
While these measures strengthen overall security, they also serve as reminders for users and organizations to stay vigilant. Cybercriminals are becoming more innovative, targeting both individual users and larger ecosystems like browser extensions.