With FIDO2 certification for Android, Google is setting the stage for password-less app and website sign-ins on a billion devices
Android is now certified for the FIDO2 authentication standard, meaning that people who use Google’s mobile operating system may soon be able to forgo passwords when logging into apps and websites on their Android-powered devices, the Fast IDentity Online (FIDO) Alliance and Google announced on Monday.
Instead of passwords, Android users will be able to sign in with their device’s fingerprint reader or with a FIDO-compliant security key, according to the press release issued during the ongoing Mobile World Congress (MWC) in Barcelona, Spain.
“Web and app developers can now add FIDO strong authentication to their Android apps and websites through a simple API call, to bring passwordless, phishing-resistant security to a rapidly expanding base of end users who already have leading Android devices and/or will upgrade to new devices in the future,” reads the announcement, which also notes that “any compatible device running Android 7.0+ is now FIDO2 Certified out of the box or after an automated Google Play Services update”. Support for the FIDO2 authentication scheme is also already integrated into major web browsers.
However, there are additional requirements, starting with app and site developers, who will also need to implement support for FIDO2. Moreover, only the owners of devices running Android 7.0 or higher will be able to use their phones’ biometrics or log in with hardware-based dongles. In fact, many Android users already have experience with biometric authentication in apps, as many apps, for example in the banking sector, already support fingerprint and/or other password-free logins.
That said, there is a lot of room for growth, as around one-half of Android’s two billion users currently utilize Android 7.0 or newer.
Since biometric data can be harder to steal or crack than many passwords, obviating the need for passwords greatly enhances protection from phishing scams and other attacks that rely on pilfering users’ credentials. In addition, the authentication takes place on the device itself, meaning that no authentication data is transmitted to or held by the apps or websites – a benefit also highlighted by Christiaan Brand, an identity and security product manager at Google, in a statement for The Verge:
“The important, often overlooked, part of this technology is actually not allow users to use biometrics to sign in, but rather moving authentication from a ‘shared secret’ model – in which both you and the service you’re interacting with needs to know some ‘secret’ like your password – to an ‘asymmetric’ model where you only need to prove that you know a secret, but the remote service doesn’t actually get to know the secret itself”.