Android finally got FIDO2 certified in an announcement made on Monday by the FIDO Alliance and Google at Mobile World Congress but what does this mean for you?
What is the FIDO Alliance and how does FIDO2 work?
The FIDO(Fast Identity Online) Alliance is an association made up of a couple of tech giants including Google, Microsoft, Facebook, GitHub, eBay, Dropbox among others that work on and help define passwordless authentication standards to provide interoperable mechanisms that are far more secure and easier to use than passwords from biometrics such as fingerprints and facial scans to 2-factor authentication devices.
They have been working on FIDO2 certification for the past couple of years and as of yesterday’s announcement, the FIDO Alliance and Google took a giant leap to bring that passwordless life closer to reality on Android.
Passwords are flawed as they are relatively insecure, inconvenient and forgettable even with 2-factor authentication. Passwords work like this – both the user and the service they’re connected to had a secret key stored on their servers and on the user’s device so that during logging in, the user’s password is sent to the servers, encrypted and cross-checked with the stored key. If they match, you gain access to your account. The vulnerability of this method is that the key is stored in two locations increasing the chances of being hacked.
The main FIDO approach is a personal device such as a smartphone or a token that uses a set of cryptographic keys to securely access FIDO-enabled services such as Microsoft, Paypal or Google. FIDO authentication data is never stored with the service which will protect your privacy and shield your login credentials from would-be hackers.
The crème de la crème of this protocol is that users will no longer have to be torn between better security or better user experience – you get both since over 400 services have been certified by the alliance.
What the FIDO2 method does is that it stores the authentication key in your device only and in offline conditions making it secure, reliable and more convenient for you. WebAuthn integration goes ahead to enhance the protection of your account.
When is it rolling out?
FIDO2 certification is now available for Android 7.0 Noughat devices meaning that they will now be able to handle password-less logins in mobile browsers such as Google’s Chrome. Some Android apps had already integrated the FIDO approach to authenticating using face unlock, fingerprint sensor or a dongle such as the YubiKey.
The certification means that now web and app developers can use FIDO API’s to seamlessly offer universal password-less logins for the mobile browser and the web.
To fasten this adoption, Google is pushing this approach via Google Play Services so that it reaches most devices running Android 7.0 Noughat without smartphone manufacturers needing to play around with it so that it gets to the most number of users.
