Hadlee Simons / Android Authority
TL;DR Android’s Identity Check feature is being expanded in the upcoming Android 16 QPR2 update to better protect your sensitive apps.
The feature will now enforce biometric-only authentication for any app that uses the biometric prompt, removing the screen lock credential as a fallback.
This optional security measure will prevent thieves who know your PIN from accessing sensitive apps when you’re outside of a trusted location.
Late last year, Google announced a new feature called Identity Check. It helps protect your sensitive data by requiring biometric authentication for certain actions when your device is outside of a trusted location. For example, if someone snatches your phone and tries to access your saved passwords in Google Password Manager, Android will verify that person’s biometrics before allowing access. This prevents thieves from performing certain sensitive actions even if they know your lock screen PIN, pattern, or password. However, it doesn’t prevent those thieves from accessing certain sensitive apps that allow you to use your screen lock credentials as a fallback. That could change in Android’s big December update.
Don’t want to miss the best from Android Authority? Set us as a preferred source in Google Search to support us and make sure you never miss our latest exclusive reports, expert analysis, and much more.
Earlier today, Google rolled out the first beta of Android 16 QPR2, which is scheduled for a stable release in December. After installing the beta on my Pixel phone and navigating to Settings > Security & privacy, I found a notice at the top that said, “Identity Check is available on more apps. You can secure your identity protection on any app that offers Fingerprint or Face Unlock to identify you.”
Tapping “View details” opened a card that said, “When you use Identity Check for all apps that support Fingerprint and Face Unlock, you ensure stronger protection and a more consistent experience – without extra setup.”
Mishaal Rahman / Android Authority
This change might not make sense at first, so to understand it, I need to explain how biometric authentication currently works in Android. When an app wants to verify your identity, it can call Android’s biometric prompt API to show a system dialog that asks for your biometrics. Apps can choose what kinds of biometrics to allow when calling this API, how secure those biometrics have to be, and whether to allow your screen lock credentials (PIN, pattern, or password) as a fallback.
Some apps allow your screen lock credentials as a fallback mechanism in case you can’t verify your biometrics, such as when you’re wearing a glove or a mask. However, by doing so, they allow themselves to be accessed by any person who knows your device’s screen lock credentials, which could include shoulder-snooping phone thieves.
To prevent this from happening, Google is expanding Identity Check in Android 16 QPR2 to cover any app that uses the biometric prompt API. When Identity Check is turned on and someone tries to access an app that invokes this API, Android 16 QPR2 won’t allow your screen lock credentials to be used as a fallback. It will instead enforce biometric authentication, preventing unauthorized access to your sensitive apps outside of trusted locations.
Identity Check is part of Android’s Theft Protection suite, and like other theft protection features, it’s optional. To enable it on your Pixel, you need to go to Settings > Security & privacy > Device unlock > Theft protection > Identity check.
Google
In addition to securing more apps, Identity Check will soon let you use your smartwatch as a trusted unlock mechanism. When your phone is in an untrusted location but connected to a trusted smartwatch, Identity Check won’t require biometric authentication. This other feature isn’t available yet, but we could see it roll out in a future beta release.
For more details on what’s new in Android 16 QPR2 Beta 1, check out our ongoing coverage.
Follow