[Update 2: Google Accounts] Android is now FIDO2 certified, allowing for passwordless website and app access
Living in the passwordless world is the future many of the tech enthusiasts dream about. There is no ETA or progress bar about the advancement peak of this technology, but its arrival is inevitable. Passwords are dated, easily forgettable, and very often insecure, even when you take additional measures like 2-factor authentication. Like many major upcoming trends, Google is also a role player in this one. This shouldn’t be a bit surprising, considering that this company owns the most popular mobile OS, web browser, and search engine. Google has been working on developing this technology with partners like Microsoft and other tech giants for the past couple of years. Yesterday, the company took another big step towards the passwordless feature.
The FIDO Alliance announced at Mobile World Congress yesterday that Android is now FIDO2 certified. If you haven’t heard of them before, the FIDO Alliance is an association that works on and defines the standards of passwordless authentication. Some of the members of the alliance are Google, Facebook, GitHub, Dropbox, eBay, and many more. Alongside the partners from all around the world, FIDO Alliance has been working on FIDO2 certification for the past couple of years.
Apart from the obvious convenience and usability improvements over the regular dated passwords, FIDO2 protocol also offers much better security. You see, traditionally, the authentication via passwords worked like this: both the user and the service had a secret key stored on the server and the device. During the authentication process, the user sends the password to the server, where it’s encrypted and checked against the stored key. If the keys match, the user gains access to their account/content. Now, this method has a big flaw: the authentication keys are stored in two different locations, making them 2 times more vulnerable to attacks. True, there are methods, like end-to-end encryption to prevent them, but hackers are always coming up with new ways to exploit these obvious flaws.
The FIDO2 protocol stores the authentication key on only the user’s device in offline conditions. Therefore, it’s much more secure, reliable, and easier to use. FIDO2 certification is now available on all mobile devices running Android 7.0 Nougat or later. Developers of mobile and web applications can already use the APIs to implement the feature into their own services.
Update 2: Google Accounts
Google has begun rolling out FIDO2 password-less authentication to Google accounts on Android 7+ devices, starting today with Pixel devices. Users can use their fingerprint or screen lock method instead of typing in their password when visiting certain Google services. This means a user can register their finger once and use it for a bevy of native and web services. The fingerprint is never sent to Google’s servers.
To try it out right now, go to passwords.google.com, choose a site to view or manage a saved password, and follow the instructions to confirm your identity.