Google Plans to Replace Email Verification Codes with "One-Tap Credentials" to Advance Native Authentication
Google is promoting a new Android authentication scheme, aiming to replace traditional email verification codes with "verified email credentials" issued directly by the system. This will reduce the reliance on one-time passwords or email "magic links" for app developers during user registration, login, and account recovery.
According to reports, this new capability has been integrated into Android's Credential Manager API. Google hopes to transform current common authentication methods: in the past, when registering an app or third-party service, users typically needed to receive a one-time password via email or SMS, or click a verification link in the email, to prove control over an email address; under the new mechanism, users will no longer need to frequently switch to their inbox to find temporary verification codes.
Google believes that modern authentication has long been a trade-off between security and convenience. While traditional email verification codes and SMS verification methods are generally effective, their operational flow is lengthy, and users often need to switch back and forth between newly installed apps and their email, which "context switching" increases friction costs. Furthermore, while email addresses have a low barrier to entry, they are not always reliable in terms of spam filtering and email delivery stability.
Reports also mention that Google views the extra time users spend in the verification process as a potential factor affecting conversion rates. According to Google, every additional second a user spends in the "verification loop" can increase the likelihood of them losing interest and abandoning the process, directly impacting the registration conversion performance of apps or services.
To this end, Google's proposed alternative is to issue encrypted and verified email credentials directly to Android devices. These credentials are linked to the device itself, work similarly to passkeys that have been widely promoted in recent years, and are delivered to apps through the Credential Manager API during authentication.
From a technical standard perspective, this API adopts the W3C's Digital Credential API specification. Reports indicate that it may potentially replace existing practices of sending and verifying one-time verification codes or SMS messages in the task of "confirming email ownership." Google says the new scheme is also more transparent in terms of interaction, allowing users to more clearly know what data they are being asked to provide and how that data will be shared with third-party service providers.
For developers, as long as they access the Digital Credential API, they can call this device-stored email credential in their applications. This way, whether it's new user registration, account recovery, or re-verification before performing sensitive operations and setting changes, it can all be completed with a "one-tap consent."
However, this feature currently has limitations in its scope of application. Google states that it currently only supports ordinary consumer accounts, and Google accounts bound to Workspace services and regulated accounts are not yet supported. At the same time, verified credentials can contain various data fields such as first name, last name, full name, and avatar, but only the email address itself has been actively verified by Google so far.
According to Google's vision, the ultimate goal of this "verified email credential" function embedded in the Credential Manager API is to make authentication no longer an independent step completed manually by the user, but rather become part of the native mobile experience. Reports also point out that Google has recently adopted a similar approach in other security-sensitive areas, such as continuously strengthening risk prompts and controls for sideloading applications from third-party sources, demonstrating its attempt to implement stronger system-level leadership in more critical security links within the Android ecosystem.