Google is deploying a new authentication framework that may phase out legacy email verification codes. Integrated into Android’s Credential Manager API, the verified email credential system is intended to improve and modernize identity verification across apps.
For years, users have followed the standard sign-up process of downloading an app, entering an email address, and waiting for a one-time password or magic link. Google believes those extra steps add friction that can reduce app sign-ups.
Google describes current authentication systems as a balance between security and convenience. During sign-up for apps or third-party services, users commonly need to verify their email address through one-time passwords or magic links sent by email or SMS.
The process often forces users to move back and forth between a newly installed app and their email inbox. In addition to being inconvenient, email delivery can be unreliable, with spam filters sometimes blocking verification messages, and no guarantee they will arrive promptly.
However, the third issue raised by Google may stand out the most. According to the company, every extra second spent completing verification increases the risk of users losing interest, which can lower conversion rates.
Whether a brief two-second trip to the inbox is enough to push users away remains open to debate. Even so, Google is pressing ahead with its proposed solution.
Google’s proposed answer is a cryptographically verified email credential issued directly to an Android device. Similar to passkeys, the credential is linked to a trusted device and provided during authentication through the Credential Manager API.
Built on the W3C Digital Credential API specification, the system could eliminate traditional OTP and SMS-based email verification flows. Google says the updated authentication model improves transparency by clearly disclosing what user data is requested and passed to third-party services.
By integrating the Digital Credential API, developers can enable on-device email credentials across their applications. The implementation supports one-tap consent for onboarding, account recovery, and step-up authentication for high-risk actions or configuration changes.
However, the feature has some limitations. Google notes that it is currently available only for regular consumer accounts, while Workspace-connected and supervised accounts are not supported.
Verified credentials can contain several pieces of information, including a first name, last name, full name, and profile picture. However, Google notes that only the email address itself is formally verified.
For now, Android users can expect the new one-tap verification option to appear in supported apps as developers begin adopting the Digital Credential API. The long-standing routine of searching an inbox for a six-digit code may soon start to fade.
Maybe you would like other interesting articles?