Google's Hiroshi Lockheimer is doing an AMA on Reddit today, and the topic of discussion are the all-new Nexus 5X and Nexus 6P. Google officially announced both new phones yesterday during an event in San Francisco alongside the Pixel C and the all new Chromecast as well as Chromecast Audio. One of the most significant changes to the Nexus lineup with the Nexus 5X and the Nexus 6P is the addition of the fingerprint sensor on the back of each phone, which allows users to secure their devices with a fingerprint instead of having to rely on typing in a PIN or password every time they want to unlock the device. It also supports Android Pay, meaning users can tap the fingerprint sensor at checkout after they tap the phone to supported NFC payment stations.
While part of the reasoning for having fingerprint sensors on the device revolves around security, it's only natural that some users should have concerns about whether the technology powering it, (and the data received by it, I.E. the fingerprint) is secure. According to Lockheimer, the fingerprint features are securely encrypted on the device and data is stored on the device locally, meaning Google never has access to it and nothing is stored in the cloud. He also states that the APIs for fingerprints within Android 6.0 Marshmallow never allow apps access to the fingerprint data.
In addition to fingerprint data being secure and stored locally, Google touts the speed and the accuracy of the fingerprint sensor stating that "it's really fast and highly accurate." Google would be expected to say about their own products of course, but according to the earlier claims from yesterday's announcements it can recognize fingerprints in less than 600 milliseconds. Since fingerprint data isn't stored locally, this means that each time you acquire a new device, (say as part of Google's Nexus Protect program) you would need to recapture the fingerprint on the new device. This might seem a little tedious to some, but Google's reasoning comes back to security. Without Google having access to the data, there is much less worry that outside parties could get a hold of your fingerprint data. If it would happen, it wouldn't be from hacking into Google's servers and gaining access to a trove of fingerprints. Google also points out that if a phone is ever lost or stolen, users can access Android Device Manager and remotely wipe their data, of course, the phone will need to still be connected to the network for this to take place at the time of initiation.