The passwordless web came a billion devices closer to reality on Monday when the Fast IDentity Online (FIDO) alliance announced an update to Google Play Services that brings FIDO2 certification to roughly half of all Android devices available today.
Specifically, the alliance said that any compatible device running Android 7.0+ is now FIDO2 certified out of the box or after an automated Google Play Services update.
This will allow users to log in to websites and apps that support the FIDO2 protocols by using their devices’ biometric readers – such as fingerprint or facial recognition. Alternatively, they can log in with other forms of authentication that are compatible with the FIDO2 specification, such as YubiKeys or Titans, which are Google’s own Bluetooth-based version of Yubico’s hardware-based security key.
Releasing the FIDO2 update through the automated Google Play Services feature means that it should be a pretty frictionless security boost. Manufacturers don’t have to adapt their devices or, really, do anything. That should make the security upgrade easier to get users to adopt, in contrast to two-factor authentication (2FA).
Although FIDO2 support will allow Android to accept secure web logins using Yubikey and Titan, NFC, and Bluetooth, Google anticipates that fingerprint authentication will be the easiest way, and the one that’s likely to become users’ preferred method.
Google Product Manager Christiaan Brand said that FIDO2 offers protection against phishing attacks, while the FIDO Alliance said that it also protects against man-in-the-middle attacks and those that use stolen credentials.
That’s because biometrics such as fingerprint data – in the form of a cryptographic signature – are always stored locally on the device, without ever being sent anywhere else or being held by any other party.
Wired quoted Kenn White, director of the Open Crypto Audit Project:
Providing the FIDO2 option gives really strong identity protection for account holders. You and I might be fooled by ‘paypa1.com,’ but a FIDO key won’t be. Among the security community, WebAuthn, which FIDO2 intersects with, is considered one of the strongest account protections there is.
WebAuthn is a recently minted set of rules, an API (Application Programming Interface), that websites and web browsers can use to enable authentication using public key cryptography instead of passwords. It’s one of two keystone technologies required for passwordless web authentication, the other being CTAP.
The death of passwords (hopefully!) draws nigh
Android joins what appears to be a march towards a passwordless web that’s picking up the pace. In November, Microsoft announced that its 800 million account holders would be able to log in to services like Outlook, Office, Skype and Xbox Live without using a password.
Before that, we saw Mozilla Firefox, Google Chrome and Microsoft Edge roll out support for WebAuthn.
For devs
For a deep dive into the passwordless web and what developers need to do to get us there, check out our writeup.
Specifically for this new FIDO2-ification of Android, the FIDO Alliance has these resources for developers.
Cynic
is it really about security, or replacing passwords with something you pay for?
DaveInNH
Weak passwords (low entropy secret key authentication) are a problem. Public Key Infrastructure is far preferable (although private keys are often unlocked by passwords). Biometrics are susceptible to impersonation, and share the risk of being copied with physical keys. I’m not a fan of biometrics.
SkepticGG
What about those of us who do not have those fancy phones, but a landline that we cannot text with? There are also some who will not voluntarily give our fingerprints or facial recognition out over the web…regardless of what we are told, the info will be stored, therefore hackable. Seems to me that All of those other ways of identification and security have just as many flaws that can be exploited and could be even more unsafe, even dangerous, in the long run. I’ll keep using my desktop and my password manager as long as I can, then if no longer able, I’ll give up the Internet…save money.
clr
For clarity – pretty sure Titan Key currently only supports U2F, not FIDO2 as stated.
Paul Ducklin
The Titan website just says “Titan Security Keys implement FIDO standards”, with the word FIDO linking to a FIDO alliance page that mentions FIDO2 centre-screen (and then, after a few seconds pops up one of those truly annoying “Sign up for updates!” dialogs that pretty much covers everything).
Jay
What happens when an exploit arises where the keys that are “always stored locally on the device” are sent externally? Honest question; I don’t understand the technology enough, but it seems risky to link all my online identities, things that I may not want linked together, to all be protected by a username-like biometric certificate.
Paul Ducklin
Depends on “always stored locally” means :-) YubiKeys, for example, have a mode in which they act as a miniature, tamper-proof HSM (hardware security module). The YubiKey itself generates a public/private keypair; the public key can be exported; the YubiKey can be given messages to sign with its internal private key; but the private key can’t be copied out of the YubiKey. So your private key can’t be sent externally or extracted or cloned.
Of course, that means it can’t be backed up either – if the YubiKey breaks or you lose it, bad luck! Also, there’s no biometric or other login protection *on the key* so if someone steals it they can use it without authnenticating against the key itself.
Bryan
While eradication of passwords will give a clear boost to users of qwerty and 12345, I(‘ve read Mark’s article and) still have questions.
When vulnerabilities are found in FIDO, what’s the parallel to changing a compromised password? Do I rely (and wait) on third parties, avoiding my bank app until it’s resolved?
I’m also with DaveInNH on biometrics;* not wild about its fallibility. At least I know htpapp**, but as my mother has often said, I’m stuck with this face.
Losing passwords won’t herald the ends of criminals’ careers–whereupon they fall back to the traditional path–they’ll diversify into other methods of theft. What’s the next big low-hanging-fruit paradigm when stolen passwd databases lose usefulness?
Cue epic floods of IoT abuse, sever vulns, ransomware, and social engineering…?
Bryan
* note I’m not necessarily entirely in New Hampshire
** HTPAPP: maybe it’s the newest protocol circumnavigating the Interwebs!
Paul Ducklin
Like Mark Twain, I think the password is saying, “The rumour of my death was an exaggeration.”
Bryan
Probably.
PS: I also meant to ask how likely rogue apps could hijack what’s stored locally on the device.
bob
Keep both. 2fa layers in some form are good. Not a fan of biometrics either, They can be copied, impersonated, and unlike a password or key you leave locked away somewhere, we are involuntarily leaving traces of our biometric data everywhere, via DNA skin hair samples, fingerprints on doors glasses, our facial data on cameras etc, it’s not revokable, meaning something you can’t exactly change like a password once your biometrics have been compromised.
Matthew Parkes
Someone else who doesn’t know the technical stuff behind this, what is to stop app developers allowing authentication via a phones biometric readers today without FIDO2 – i’m sure Android Pay already simply authenticates against biometrics today to allow card transactions, as does Apple Pay. I am sure there is more to it behind the scenes and simply using your phone as a hardware device rather than having to by a FIDO certified usb/nfc key will save some users some money unless you need 2 devices in which case you will still need one device in addition to your phone. Anyone know if Apple are going to follow suit, oh silly of me that will be in next years Apple Keynote lol.
Paul Ducklin
Phone biometric devices *can* get FIDO certification – one of Samsung’s already has (via fingerprints).
Presumably you can set your phone so it always needs unlocking with a code, even before you can fire up the fingerprint reader, which would mean you’d need a specific phone, a specific finger (or good facsimile) and a specific passcode.
mrbkoostachin
There are several problems, one losing either of those devices, mobile phone and USB security token. through theft, bricking of mobile device, and not to mention that those usb keys can be lost in fires, flood, a nuclear bomb. Oh what happens to your security box, when the banks closes down for business permanently. Most of us folks don’t have access to banks, being close to a bank is a luxury that most don’t have.
did the folks behind the FIDO alliance think things through. Biometrics can be stolen,
and to add the cherry on top, well there are bills that people need to pay. Bills are inescapable part of life, with little or no money left to buy a cup of coffee.