Editor's take: Google is once again trying to simplify something that was already fairly easy and convenient. Mountain View's latest target is email-based authentication, which is now dropping the email-checking step altogether thanks to a new Android API update.
Google is working on a more streamlined way for app developers to authenticate users. The company has introduced a new verified email credential issued directly through Android's Credential Manager API, with the goal of modernizing the authentication process. Users will no longer need to check their inbox for temporary authentication codes, a step that can be cumbersome enough to negatively affect some apps' chances of success.
Google describes modern authentication methods as a difficult trade-off between security and convenience. During the sign-up process for an app or third-party service, users are typically asked to verify ownership of an email address using one-time passwords or "magic links" sent via email or SMS.
While this approach is effective, Google argues it can be unnecessarily complex, as it requires users to switch context between a newly installed app and their email inbox. Additionally, email addresses are usually free, but not necessarily reliable in terms of spam filtering or delivery guarantees.
The alleged third problem with OTP-based authentication frankly made me chuckle. Google stated that "every extra second spent in the 'verification loop' is a second where a user might lose interest, directly impacting conversion rates."
I've never experienced such a "stressful" moment while entering an OTP to log into Steam, but maybe it's just me. After all, I enjoy Soulsborne games and have spent hundreds of hours with Elden Ring.
In any case, Google's proposed solution to modern authentication friction is a cryptographically verified email credential issued directly to an Android device. Similar to passkeys, these credentials are tied to a verified device and delivered during authentication through the Credential Manager API.
The API implements the W3C Digital Credential API specification and can potentially replace the need to send and verify OTPs or SMS messages when confirming ownership of an email address. Google explains that the new authentication experience is more transparent and easier to understand, as users are clearly informed about what data is being requested and shared with third-party providers.
Developers can integrate the Digital Credential API to use the new on-device email credentials in their apps. This enables a one-tap consent flow for sign-ups, account recovery, or re-authentication for sensitive actions or settings changes.
Google notes that the feature is only available for "regular" consumer accounts. Google accounts tied to Workspace services or supervised accounts are not supported at this time. Verified credentials can include several data types such as first name, last name, full name, and profile picture, but only the email address itself is actively verified by Google.
The new verified email credentials integrated into the Credential Manager API are designed to streamline the authentication process, Google said. In the future, account "verification" may no longer be a user-driven, manual step, but instead an integrated part of the native mobile experience.
Google is taking a similar stewardship-style approach to other security-sensitive areas, such as third-party app sideloading, which it increasingly frames as a higher-risk activity when using non-official software sources.