More passwordless logins are coming to Android

The FIDO Alliance and Google today announced that Android (from version 7.0 up) with the latest version of the Google Play Services, is now FIDO2 certified. At first glance, that sounds rather boring, but it will enable developers to write apps that use a phone’s fingerprint scanner or a FIDO security key to authenticate users without making them type in a password. Since I’m not aware of too many people who like to type in complicated passwords that their IT department makes them change every few months, that’s a big deal.

Developers will be able to enable password-less logins in their web and native apps. Chrome, Microsoft Edge and Firefox already fully support this feature, as does Apple’s Safari (but only in preview). In addition to the convenience, FIDO2 also promises to offer phishing-resistant security, given that this technology won’t let you authenticate on a malicious site.

“Google has long worked with the FIDO Alliance and W3C to standardize FIDO2 protocols, which give any application the ability to move beyond password authentication while offering protection against phishing attacks,” Google product manager Christiaan Brand. “Today’s announcement of FIDO2 certification for Android helps move this initiative forward, giving our partners and developers a standardized way to access secure keystores across devices, both in market already as well as forthcoming models, in order to build convenient biometric controls for users.”

It’s worth noting that Android already supported password-less authentication for native apps, but now it’ll also support these for browser logins. Once you’ve set up this new authentication mechanism (and once web apps support it), your phone will store all of the cryptographic data on the device and none of the raw fingerprint data, for example, will be transferred to anybody else.

The FIDO Alliance says this new mechanism will soon enable a billion users on modern Android devices to experience password-less logins. Developers will have to implement support in their web and native applications, though, but that’s relatively easy.

from TechCrunch