Android nudges passwords closer to the cliff edge with FIDO2 support

The passwordless web came a billion devices closer to reality on Monday when the Fast IDentity Online (FIDO) alliance announced an update to Google Play Services that brings FIDO2 certification to roughly half of all Android devices available today.

Specifically, the alliance said that any compatible device running Android 7.0+ is now FIDO2 certified out of the box or after an automated Google Play Services update.

This will allow users to log in to websites and apps that support the FIDO2 protocols by using their devices’ biometric readers – such as fingerprint or facial recognition. Alternatively, they can log in with other forms of authentication that are compatible with the FIDO2 specification, such as YubiKeys or Titans, which are Google’s own Bluetooth-based version of Yubico’s hardware-based security key.

Releasing the FIDO2 update through the automated Google Play Services feature means that it should be a pretty frictionless security boost. Manufacturers don’t have to adapt their devices or, really, do anything. That should make the security upgrade easier to get users to adopt, in contrast to two-factor authentication (2FA).

Although FIDO2 support will allow Android to accept secure web logins using Yubikey and Titan, NFC, and Bluetooth, Google anticipates that fingerprint authentication will be the easiest way, and the one that’s likely to become users’ preferred method.

Google Product Manager Christiaan Brand said that FIDO2 offers protection against phishing attacks, while the FIDO Alliance said that it also protects against man-in-the-middle attacks and those that use stolen credentials.

That’s because biometrics such as fingerprint data – in the form of a cryptographic signature – are always stored locally on the device, without ever being sent anywhere else or being held by any other party.

Wired quoted Kenn White, director of the Open Crypto Audit Project:

Providing the FIDO2 option gives really strong identity protection for account holders. You and I might be fooled by ‘,’ but a FIDO key won’t be. Among the security community, WebAuthn, which FIDO2 intersects with, is considered one of the strongest account protections there is.

WebAuthn is a recently minted set of rules, an API (Application Programming Interface), that websites and web browsers can use to enable authentication using public key cryptography instead of passwords. It’s one of two keystone technologies required for passwordless web authentication, the other being CTAP.

The death of passwords (hopefully!) draws nigh

Android joins what appears to be a march towards a passwordless web that’s picking up the pace. In November, Microsoft announced that its 800 million account holders would be able to log in to services like Outlook, Office, Skype and Xbox Live without using a password.

Before that, we saw Mozilla Firefox, Google Chrome and Microsoft Edge roll out support for WebAuthn.

For devs

For a deep dive into the passwordless web and what developers need to do to get us there, check out our writeup.

Specifically for this new FIDO2-ification of Android, the FIDO Alliance has these resources for developers.