Understand fingerprint security

You can unlock your Chromebook or sign into eligible websites and apps with your fingerprint.

Cautions about fingerprints

Fingerprints are an easy way to unlock your device. But a fingerprint may be less secure than a strong password or PIN.

A copy of your fingerprint could be used to unlock your device. You leave fingerprints on many things that you touch, including your device.

Google has strict guidelines about how fingerprint data can be stored on your device.

Secure location

A secure part of the hardware known as a Secure Biometrics Processor (SBP) captures and recognises your fingerprint.
Fingerprint data is secured within sensor hardware or trusted memory so that images of your fingerprint aren't accessible.

Secure storage and removal

Only the encrypted form of the fingerprint data is stored on the file system, even if the file system itself is encrypted.
Fingerprint data gets removed from the device when a user is removed.
Even if the device gets rooted, fingerprint data isn't compromised.

Google’s guidelines require fingerprint templates to be cryptographically authenticated. Fingerprint templates are processed versions of raw fingerprint images.
Fingerprint templates must be signed with a private, device-specific key, like keyed-hash message authentication code (HMAC).This key must have the absolute file-system path, group and finger ID, such that template files won't work on another device or for anyone besides the person who set them up on the same device. For example, it won't work to copy the fingerprint data from a different user on the same device or from another device.
A device-specific encryption key, like Advanced Encryption Standard (AES), used for fingerprint data so that a raw image or fingerprint template isn't readable by a separate device.

How can we improve it?