It's more important than ever to manage your passwords online, and also harder to keep up with them. That's a bad combination. So the FIDO Alliance—a consortium that develops open source authentication standards—has pushed to expand its secure login protocols to make seamless logins a reality. Now Android's on board, which means 1 billion devices can say goodbye to passwords in more digital services than seen before.
On Monday, Google and the FIDO Alliance announced that Android has added certified support for the FIDO2 standard, meaning the vast majority of devices running Android 7 or later will now be able to handle password-less logins in mobile browsers like Chrome. Android already offered secure FIDO login options for mobile apps, where you authenticate using a phone's fingerprint scanner or with a hardware dongle like a YubiKey. But FIDO2 support will make it possible to use these easy authentication steps for web services in a mobile browser, instead of having the tedious task of typing in your password every time you want to log in to an account. Web developers can now design their sites to interact with Android's FIDO2 management infrastructure.
"Google
got involved in FIDO quite some ways back, particularly because of
phishing, which we think is one of the biggest issues of authentication
on the web today," says Christiaan Brand, a product manager at Google
focused on identity and security. "The natural evolution was looking
toward FIDO2. Customers are already used to using these sensors on the
device for authenticating into applications every day, so how do we make
that technology available to websites?"
Developers
can implement FIDO2 authentication in a number of different variations
depending on what makes sense for their product, but all the versions
offer additional phishing protection by requiring user participation
during sign-in (like doing a fingerprint scan or producing a dongle) so
attackers can't get as far with usernames and passwords alone.
FIDO2 and a related standard, WebAuthn, created by the FIDO Alliance and the World Wide Web Consortium, have gained ubiquity
through adoption by all the major browsers—except Safari, though Apple
has hinted it will add support—and platforms like Microsoft account
sign-in. But Android represents a big step, because it will enable a
major subset of mobile developers to start offering universal
password-less logins. Google's Brand points out that under FIDO2,
developers will even be able to streamline their mobile browser and set
up password-less login on the web, using that authentication step carry
over to a service's app or vice versa.
"We got to
the point where it was implemented in browsers, but now we’re seeing
FIDO technology sedimented in an even broader user base," according to
Andrew Shikiar, chief marketing officer of the FIDO Alliance.
Since
Android is open source and can be deployed by device manufacturers in
all different ways, the platform has issues keeping the global
population of devices up to date with the latest operating system and
features. But Brand says that Google is releasing the FIDO2 update
through a mechanism called Google Play Services that will allow it to
reach almost all devices running Android 7 or later, without
manufacturers needing to do or adapt anything. What this means is the
update will actually be able to get to most of Android's massive user
base.
Though FIDO2 support will allow Android to
accept secure web logins using dongles, NFC, and Bluetooth, Google is
envisioning fingerprint authentication as the easiest approach, and the
one that is likely to become most popular with users. And both Google
and the FIDO Alliance emphasize that in all of this, your fingerprint
data is still always stored locally on your device and isn't sent
anywhere else or held by any other party. The sensor creates a
cryptographic signature from your fingerprint data that is then used in
FIDO2's authentication scheme.
"Providing the
FIDO2 option gives really strong identity protection for account
holders," says Kenn White, director of the Open Crypto Audit Project.
"You and I might be fooled by 'paypa1.com,' but a FIDO key won’t be.
Among the security community, WebAuthn, which FIDO2 intersects with, is
considered one of the strongest account protections there is."
Though
FIDO2 promises a much easier web security experience for users, it will
take time to achieve adoption anywhere near as universal as traditional
password schemes. And digital identity experts warn that any single
credential, no matter how robust, is always more secure when paired with
a strategic second authentication factor. Unfortunately, even in a
glorious utopia free of passwords, there’s never a magic bullet for
account security.
By /lily-hay-newman/