Chrome 86 released with password-related security improvements

chrome86-passwords.png
Image: Google

Google has released Chrome 86 today to the stable channel, and this new release includes numerous security enhancements and new APIs for developers.

Each new Chrome release usually focuses on a main theme. For example, Chrome 84 focused on UI overhauls, while Chrome 85 focused on speed and API improvements.

On that tune, Chrome’s new v86 release comes with loads of password and security-related upgrades, but also with several deprecations and new APIs also included under the hood as well.

Password-checking feature coming to mobile

In December 2019, with Chrome 79, Google added a feature to Chrome named Password Checkup that would take the user’s synced passwords and check to see if they’ve been leaked online during data breaches at other companies.

With Chrome 86, Google says this feature (known as Safety Check since May 2020) is now coming to mobile versions of Chrome on Android and iOS.

Google Password Checkup
Image: Google [supplied]

Easier to change compromised passwords

Furthermore, Safety Check itself is also getting updates. Starting with Chrome 86, Safety Check supports the “.well-known/change-password” standard.

This is a W3C standard that allows websites to specify the URL where users can go to change their passwords.

Chrome 86 adding support for this standard means that users can press a button in the Chrome password settings screen and go directly to that page and change the password right away, rather than search blindly through a website’s complicated structure.

Biometric authentication for password filling on iOS

Google is also expanding the touch-to-fill feature on iOS. Originally launched on Android in July, this feature works by detecting the site the user is navigating on and then prompting the user to autofill passwords, if credentials are recorded.

The feature was created to prevent users from autofilling passwords on phishing sites, but it also lets users fill in passwords in login forms with the touch of a finger, without having to scroll through tens or hundreds or entries to select the proper credentials to auto-fill.

Starting with Chrome 86, this new feature is also present on iOS, where as an additional security feature, users will also be asked to authenticate via a biometric before auto-filling passwords. This includes using Face ID, Touch ID, or their phone passcode as a last resort.

chrome-touch-to-fill.png
Image: Google

Enhanced Safe Browsing coming to mob

Enhanced Safe Browsing, a security feature that provides increased phishing and malware detection, is being expanded to mobile versions of Chrome.

The feature made its debut in Chrome 83, in May 2020, but only for desktop versions.

c83-enhanced-protection.png
Image: ZDNet

Warnings on insecure forms

Chrome 86 now also shows warnings when entering data inside “insecure forms.”

By “insecure forms,” Google is referring to forms hosted on encrypted HTTPS pages but which secretly submit their data via non-encrypted HTTP operations.

chrome-autofill.png
Image: Google

Warnings on insecure downloads

Google is also continuing its plan on showing warnings when downloading files via HTTP from pages that show HTTPS.

In Chrome 86, executable and archive files are blocked by default, while Chrome shows warnings for office-related document downloads.

chrome-mixed-downloads-block.png
Image: ZDNet

Start of the FTP deprecation

Chrome 86 is also the first version in Google’s grand master plan to remove support for FTP links from Chrome. The entire timeline is below:

  • Chrome 86 – FTP is still enabled by default for most users, but turned off for pre-release channels (Canary and Beta) and will be experimentally turned off for one percent of stable users. In this version you can re-enable it from the command line using either the –enable-ftp command line flag or the –enable-features=FtpProtocol flag.
  • Chrome 87 – FTP support will be disabled by default for fifty percent of users but can be enabled using the flags listed above.
  • Chrome 88 – FTP support will be disabled.

New Native File System

The new Native File System API is a new developer tool that Google tested in previous versions of Chrome and has activated by default in Chrome 86.

This new API enables developers to build powerful web apps that interact with files on the user’s local device. The new API is hidden behind a permission prompt to prevent websites from accessing any local files without authorization.

However, after a user grants the browser access, this API allows a website to behave like a locally installed app and save and interact with designated files and folders on the user’s device.

Google expects this new API to be used to build interactive web apps such as IDEs, photo and video editors, text editors, and more.


But we only touched on the major Chrome 86 features. Users who’d like to learn more about the other features added or removed in this new Chrome release can check out the following links for more information:

  • Chrome security updates are detailed here [not yet live].
  • Chromium open-source browser changes are detailed here.
  • Chrome developer API deprecations and feature removals are listed here.
  • Chrome for Android updates are detailed here [not yet live].
  • Chrome for iOS updates are detailed here.
  • Changes to Chrome V8 JavaScript engine are available here.
  • Changes to Chrome’s DevTools are listed here.

READ MORE HERE