Google Launches Instant Email Verification via Credential Manager API on Android, Eliminating OTPs
What Happened – Google released a new Credential Manager API that returns cryptographically‑verified email addresses directly to Android apps, removing the need for one‑time‑password (OTP) or email‑link verification steps. The feature is limited to personal Google accounts and works on Android 9+ devices with the latest Play Services.
Why It Matters for TPRM –
- Reduces onboarding friction for third‑party apps, potentially increasing user adoption and data collection.
- Shifts verification responsibility to Google’s trusted infrastructure, altering the risk profile of authentication flows.
- Introduces a new data‑exchange surface (verified email claim) that vendors must evaluate for proper trust and handling.
Who Is Affected – SaaS providers, mobile app developers, and any organization that integrates Android authentication using the Credential Manager API (primarily tech, fintech, and consumer‑facing services).
Recommended Actions –
- Review any Android authentication implementations that rely on OTP or email‑link verification and assess migration to the new verified‑email flow.
- Validate that your app’s trust model correctly verifies Google as the issuer and that unverified fields (e.g., name, profile picture) are not mistakenly treated as trusted.
- Update security and privacy policies to reflect the use of Google‑verified credentials and ensure compliance with relevant data‑handling regulations.
Technical Notes – The API aligns with the W3C Digital Credential API standard and returns a signed claim indicating Google‑verified email ownership. Only the email address is cryptographically verified; additional profile data is not. The feature requires Google Play services 25.49.x+ and is unavailable for Google Workspace or supervised accounts. Source: Help Net Security