Menu
I’ve implemented Smart Lock for Passwords in my app. What are some common scenarios and UX flows that I should test out?
595
To access all of your saved passwords in Smart Lock, simply head on over to passwords.google.com. This new interface allows you to easily manage, view and delete passwords without the need to do it on your smartphone. From here, you can also disable auto sign-in or Smart Lock altogether.
Google Smart Lock is a login feature for Google platforms: Turn it on and it allows software to recognize your Google devices (like Android phones, or Chromebooks), and automatically unlock them in certain situations.
The feature is already available on Android phones. The app is a form of two-factor authentication (2FA), which is when you use more than just a password to log into an account. For example, you can set it up to receive a special code via text message when you try to log into Google.
Here’s a guide to test Smart Lock for Passwords functionality in an app. If you have a website, associate your app and site to test those cases. Also check out the developer integration guide.
Check what's saved for the current Google Account at passwords.google.com. Entries are shown under the website domain or Android package/app name, delete any entries to start over.
Auto sign-in when app starts and a single saved entry exists. This is the recommended UX pattern to seamlessly transition between devices and help users complete transactions and pick up their experience where they left off last time. Sign-In UI should be disabled or hidden until the API call is complete, and do not call the API if you already have a signed-in user.
Sign-up with a password in the app, check for a hints dialog to help fill the sign-up form fields such as name and email, and check for a save prompt, select "Save password".
Auto sign-in after reinstalling app (or clearing app data). Show prompt for multiple credentials if something was already saved or auto sign-in is disabled.
Regular sign-in after deleting any saved passwords at passwords.google.com, save the existing account credentials when prompted.
Sign-out and app should call disableAutoSignIn. When user returns to the sign-in activity / UI, call the API and to help sign back in or switch between accounts easily (app should resolve an intent to show a picker dialog), without automatically signing the user back in.
Password update in the app should save the change (app should just call save API), but UI won't be needed for password updates). Check passwords.google.com for the updated password.
Multiple accounts after sign-up for a different second account on the web, reinstall app and see if both saved entries are offered for sign-in via a picker dialog.
Wrong stored password: You can save a wrong password in Chrome by running the following in the console on your login domain: navigator.credentials.store(new PasswordCredential({id: '[email protected]', password: 'wrongpassword'})). Then test retrieving this in the app, which could either prompt user to correct the password and save the new one, or delete an invalid credential so user doesn't get stuck in this state.
Web auto-fill when visiting the https website in Chrome, check that passwords saved on Android are available to fill in the website password field (they should also should show in chrome://settings/passwords).
IDP sign-in after deleting saved password entries, sign in/up to the app with Facebook etc, and may prompt to "Save account". Reinstall to see auto sign-in UX (i.e., the app may automatically "click" the appropriate button for the user or customize their sign-in screen to the returning user). The same for Google Sign-In, but no save prompt is shown, will save automatically to the appropriate Google account, see example use of silentSignIn.
Keep in mind that if you tap the "Never" button on a save dialog, it will add the app to the Never save list in Settings > Google > Smart Lock for Passwords for all accounts on the device and the save prompt will not be shown again (API error message "The current app is blacklisted"). You will need to remove the app from the Never save list for all accounts on the device to see the save prompt again.
Also note that Android credentials are affiliated to the signature and package of the app in which they were saved, in case you sign your app with multiple debug or release keystores during development.
197
Google publishes a REST API that allows us to test the association between your website and app once you publish it to the Play Store, here https://developers.google.com/digital-asset-links/reference/rest/v1/assetlinks/check
The API outputs a debug log of all the checks that were performed, and whether the linking worked or not. It is extremely helpful, but has very few incoming links!
I used this API to check my app as the "source" and my website as the "target" with this in the relation field delegate_permission/common.get_login_creds along with my app's package id, release key hash and of course my website url as the target website.
24
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
