More Password-Less Logins, As Android 7 And Up Supports FIDO2

Google has long offered authentication methods, with options to not use passwords and instead use other means.

To make things even more convenient for users, Google and the FIDO Alliance announced that Android 7 Nougat are FIDO2 certified.

What this means, Android app developers can create apps that use user phone's fingerprint scanner, or a FIDO security key to authenticate users without making them type in a password. Here, developers can enable password-less logins in their web and native apps.

Since this feature is already supported on Chrome, Microsoft Edge and Firefox, as well as on Apple’s Safari (only in preview), Google and FIDO are certain that the feature can be adopted fairly quickly to the more than 1 billion Android 7 users.

And because Google is pushing this update through its Google Play Services, the feature can be made available to all Android 7 and up devices without manufacturers needing to do or adapt anything.

This is certainly a good news for the Android system which is famous for being slow in pushing updates.

Christiaan Brand, Google product manager for identity and security, said that:

"Google has long worked with the FIDO Alliance and W3C to standardize FIDO2 protocols, which give any application the ability to move beyond password authentication while offering protection against phishing attacks.:"

"Today’s announcement of FIDO2 certification for Android helps move this initiative forward, giving our partners and developers a standardized way to access secure keystores across devices, both in market already as well as forthcoming models, in order to build convenient biometric controls for users."

And in addition to the convenience, FIDO2 also promises to offer phishing-resistant security, with the technology preventing users from authenticating themselves on malicious sites.

FIDO2 password-less authentication

It's worth noting that Android is already supporting password-less authentication for certain apps, including those for banking, where users can use their fingerprints, cameras, or hardware such as the YubiKey to authenticate.

But with the update, FIDO2 expands this functionality to web services via mobile browsers for Android.

It works by users setting up this new authentication mechanism. And once web apps support it, the users' phone will store all of the cryptographic data, with no raw data, like fingerprint information, will be transferred to anyone.

What this means, no information is transferred to apps and services that use it, preventing man-in-the-middle, phishing attacks and brute force attacks.

This is similar to SSO (single sign-on) login, which allows users to authenticate, but without having their login credentials seen on stored on the servers of web apps that support it.

The feature should be as good news for people, who are constantly warned to not reuse the same passwords for online accounts. Since remembering multiple logins can be daunting, the password-less authentication could make passwords a thing of the past for Android users.

For mobile phones without fingerprint sensors, users should use PIN or swipe patterns for authentication.

This feature was presented at the 2019 Mobile World Congress in Barcelona, Spain.