Monday, February 25, 2019

Android Is Helping Kill Passwords on a Billion Devices

Alyssa Foote; Lauren Joseph; Getty Images


It's more important than ever to manage your passwords online, and also harder to keep up with them. That's a bad combination. So the FIDO Alliance—a consortium that develops open source authentication standards—has pushed to expand its secure login protocols to make seamless logins a reality. Now Android's on board, which means 1 billion devices can say goodbye to passwords in more digital services than seen before.

On Monday, Google and the FIDO Alliance announced that Android has added certified support for the FIDO2 standard, meaning the vast majority of devices running Android 7 or later will now be able to handle password-less logins in mobile browsers like Chrome. Android already offered secure FIDO login options for mobile apps, where you authenticate using a phone's fingerprint scanner or with a hardware dongle like a YubiKey. But FIDO2 support will make it possible to use these easy authentication steps for web services in a mobile browser, instead of having the tedious task of typing in your password every time you want to log in to an account. Web developers can now design their sites to interact with Android's FIDO2 management infrastructure.
"Google got involved in FIDO quite some ways back, particularly because of phishing, which we think is one of the biggest issues of authentication on the web today," says Christiaan Brand, a product manager at Google focused on identity and security. "The natural evolution was looking toward FIDO2. Customers are already used to using these sensors on the device for authenticating into applications every day, so how do we make that technology available to websites?"
Developers can implement FIDO2 authentication in a number of different variations depending on what makes sense for their product, but all the versions offer additional phishing protection by requiring user participation during sign-in (like doing a fingerprint scan or producing a dongle) so attackers can't get as far with usernames and passwords alone.
FIDO2 and a related standard, WebAuthn, created by the FIDO Alliance and the World Wide Web Consortium, have gained ubiquity through adoption by all the major browsers—except Safari, though Apple has hinted it will add support—and platforms like Microsoft account sign-in. But Android represents a big step, because it will enable a major subset of mobile developers to start offering universal password-less logins. Google's Brand points out that under FIDO2, developers will even be able to streamline their mobile browser and set up password-less login on the web, using that authentication step carry over to a service's app or vice versa.
"We got to the point where it was implemented in browsers, but now we’re seeing FIDO technology sedimented in an even broader user base," according to Andrew Shikiar, chief marketing officer of the FIDO Alliance.
Since Android is open source and can be deployed by device manufacturers in all different ways, the platform has issues keeping the global population of devices up to date with the latest operating system and features. But Brand says that Google is releasing the FIDO2 update through a mechanism called Google Play Services that will allow it to reach almost all devices running Android 7 or later, without manufacturers needing to do or adapt anything. What this means is the update will actually be able to get to most of Android's massive user base.
Though FIDO2 support will allow Android to accept secure web logins using dongles, NFC, and Bluetooth, Google is envisioning fingerprint authentication as the easiest approach, and the one that is likely to become most popular with users. And both Google and the FIDO Alliance emphasize that in all of this, your fingerprint data is still always stored locally on your device and isn't sent anywhere else or held by any other party. The sensor creates a cryptographic signature from your fingerprint data that is then used in FIDO2's authentication scheme.
"Providing the FIDO2 option gives really strong identity protection for account holders," says Kenn White, director of the Open Crypto Audit Project. "You and I might be fooled by 'paypa1.com,' but a FIDO key won’t be. Among the security community, WebAuthn, which FIDO2 intersects with, is considered one of the strongest account protections there is."
Though FIDO2 promises a much easier web security experience for users, it will take time to achieve adoption anywhere near as universal as traditional password schemes. And digital identity experts warn that any single credential, no matter how robust, is always more secure when paired with a strategic second authentication factor. Unfortunately, even in a glorious utopia free of passwords, there’s never a magic bullet for account security.

By /lily-hay-newman/