Android Identity Check Anti-Theft Feature Expands to Banking Apps

Google's Android Identity Check anti-theft feature has expanded to cover third-party banking apps and password managers, closing the gap that previously left financial accounts exposed even when system-level protections were active. Apps integrating Android's Biometric Prompt API now automatically require biometric authentication outside trusted locations, meaning a thief who has both the device and the PIN still cannot open a banking app or access saved passwords without the owner's fingerprint or face scan, Android Police reported earlier this year.

Google designed Identity Check for exactly this scenario: protection that holds "even if a thief or bad actor manages to learn your device PIN," the company said at the feature's launch last year.

What changed in the Android Identity Check anti-theft feature expansion

When Identity Check launched on Pixel and Samsung Galaxy devices running Android 15 in early 2025, its biometric gate covered system-level actions: changing the device PIN, disabling theft protections, accessing Passkeys. That was a meaningful first perimeter. But it was not where most financial damage from phone theft actually occurs.

The update reported in January 2026 extended that perimeter outward. Any app integrating Android's Biometric Prompt API now automatically inherits Identity Check's protection outside trusted locations, with no developer action required, Android Police reported. "Critical tools that use Biometric Prompt, like third-party banking apps and Google Password Manager, automatically benefit from the additional security of Identity Check," the report noted. Because this is a platform behavior rather than an app-level change, coverage is consistent across qualifying apps from day one.

The account layer is protected directly as well. Identity Check strengthens security for Google Accounts on all supported devices and adds equivalent protection for Samsung Accounts on eligible Galaxy hardware, making unauthorized account takeover significantly harder even after a device has left the owner's hands, Google noted at launch. That matters because account takeover, not just on-device access, is often where the lasting damage from a stolen phone occurs.

Before this update, a thief who had watched someone enter a PIN could potentially unlock a screen, open a banking app that didn't independently require biometrics, and initiate a transfer before the owner had time to trigger a remote lock. The January 2026 change specifically addresses that window.

How the Android Identity Check anti-theft feature works outside trusted locations

Identity Check is location-aware by design. During setup, users designate trusted locations, typically home and a workplace. Inside those locations, the phone behaves as it always has; PIN access works without any additional step. Outside them, biometric authentication is required for a defined set of protected actions, including changing the device PIN or biometrics, disabling theft protection, accessing Passkeys, and now any app using Biometric Prompt, per Google's documentation.

The scenario it blocks: a thief watches someone unlock their phone at a café, grabs it, and walks out. Outside the owner's trusted location, the banking app requires a fingerprint or face scan. Changing the device PIN requires the same. So does accessing Passkeys. Without the owner's biometric credentials, none of those actions complete. The phone is stolen; the accounts remain inaccessible.

There is a deliberate gap in this design, and it deserves direct attention. A phone stolen inside a trusted location, at home, for instance, does not trigger the biometric gate. Google's answer for that scenario is rate-based: failed PIN attempts in a trusted location now result in significantly longer lockout durations, Android Police reported. The system also distinguishes between systematic guessing and honest errors. Identical wrong guesses no longer count toward the retry limit, ensuring that a child trying a parent's PIN or a user mistyping the same digit twice doesn't get penalized the way a methodical attacker would, the same report noted.

This means the security calculus of trusted-location setup is not incidental. Any location added as trusted is a zone where the biometric requirement does not apply. A shared workspace, a frequently visited location, or anywhere a potential attacker has routine physical access, added as trusted for convenience, narrows the feature's real-world coverage. The security model favors conservative configuration; the design just doesn't enforce it.

Android 15 also introduced a separate feature called Private Space, which lets users create a hidden, separately locked area on the phone for sensitive apps like health or financial tools, Google explained in 2024. That functions as an additional containment layer independent of trusted-location logic, useful for scenarios where Identity Check's location model doesn't apply.

The broader theft protection stack

Identity Check addresses the final stage of phone theft: an attacker who already has the device, knows the PIN, and is trying to convert both into financial or account access. Three other features cover earlier points in the sequence, and understanding how they layer together clarifies why the Identity Check expansion matters even when earlier defenses hold.

Theft Detection Lock uses on-device machine learning to recognize snatch-theft motion, specifically the abrupt acceleration of a phone being grabbed and carried away, and locks the screen immediately, according to Google. As of early 2025, it was fully deployed worldwide to devices running Android 10 or later. Offline Device Lock triggers automatically when a phone goes off-network or accumulates excessive failed authentication attempts, Google noted in 2024, covering the common tactic of removing a SIM card to block remote tracking before the owner can respond.

Remote Lock lets an owner lock a stolen device using only a phone number and a quick security challenge from any other device, no account login required in the moment, buying time to access Find My Device for a full remote wipe, per Google. Factory reset protection closes the resale angle: a wiped phone cannot be set up without the original Google account credentials, making it commercially worthless on the secondary market and removing much of the financial incentive driving theft in the first place, Google explained.

These features each target a different moment in the theft timeline. Theft Detection Lock fires in the first seconds. Offline Device Lock and Remote Lock apply in the minutes and hours that follow. Factory reset protection matters days or weeks later when a thief tries to resell the hardware. Identity Check is what applies throughout all of it, once a thief has a working device and a known PIN and is trying to turn that into something useful.

Who has it and who doesn't

Identity Check is confirmed on Pixel devices running Android 15 and on Samsung Galaxy devices eligible for One UI 7.1, Google said at launch. At that same announcement in early 2025, Google indicated rollout to other manufacturers was planned for later that year, but confirmed availability on non-Pixel, non-Samsung hardware is not documented in available sources. Users on those devices should check Security settings directly rather than assume the feature is present.

The broader stack reaches much further back. Theft Detection Lock, Remote Lock, and Offline Device Lock are all available on Android 10 and later through Play services updates. Find My Device, which provides basic location tracking and remote wipe capability, is available on Android 5 and later, per Google. That baseline exists on a vast majority of Android devices in active use, even for hardware too old to support Identity Check or the newer biometric protections.

The January 2026 expansion is significant precisely because it follows the money. Protecting device settings was necessary groundwork; protecting banking apps and password managers is where the actual financial exposure lives. A stolen phone with a known PIN is harder to exploit than it was before this change. How much harder depends on one thing: whether the phone is outside a location its owner configured as trusted.