With FIDO2 certification for Android, Google
is setting the stage for password-less app and website sign-ins on a billion
devices
Android is now certified for the FIDO2 authentication
standard, meaning that people who use Google’s mobile operating system may
soon be able to forgo passwords when logging into apps and websites on their
Android-powered devices, the Fast IDentity Online (FIDO) Alliance and Google announced
on Monday.
Instead of passwords, Android users will be
able to sign in with their device’s fingerprint reader or with a FIDO-compliant
security key, according to the press release issued during the ongoing Mobile
World Congress (MWC) in Barcelona, Spain.
“Web and app developers can now add FIDO
strong authentication to their Android apps and websites through a simple API
call, to bring passwordless, phishing-resistant security to a rapidly expanding
base of end users who already have leading Android devices and/or will upgrade
to new devices in the future,” reads the announcement, which also notes that
“any compatible device running Android 7.0+ is now FIDO2 Certified out of the
box or after an automated Google Play Services update”. Support for the FIDO2
authentication scheme is also already integrated into major web browsers.
However, there are additional requirements,
starting with app and site developers, who will also need to implement support
for FIDO2. Moreover, only the owners of devices running Android 7.0 or higher
will be able to use their phones’ biometrics or log in with hardware-based
dongles. In fact, many Android users already have experience with biometric
authentication in apps, as many apps, for example in the banking sector,
already support fingerprint and/or other password-free logins.
That said, there is a lot of room for growth,
as around one-half of Android’s two billion users currently utilize
Android 7.0 or newer.
Since biometric data can be harder to steal
or crack than many passwords, obviating the need for passwords greatly enhances
protection from phishing scams and other attacks that rely on pilfering users’
credentials. In addition, the authentication takes place on the device itself,
meaning that no authentication data is transmitted to or held by the apps or
websites – a benefit also highlighted by Christiaan Brand, an identity and
security product manager at Google, in a statement for The Verge:
“The important, often overlooked, part of
this technology is actually not allow users to use biometrics to sign in, but
rather moving authentication from a ‘shared secret’ model – in which both you
and the service you’re interacting with needs to know some ‘secret’ like your
password – to an ‘asymmetric’ model where you only need to prove that you know
a secret, but the remote service doesn’t actually get to know the secret
itself”.