Just announced, an update to Google Play Services is rolling out now which adds FIDO2 certification to roughly half of all Android devices available today. The update lets you log in to support apps and services with the fingerprint or PIN on your device rather than requiring a password.
FIDO2 is designed to keep the authentication of your accounts stored locally on the device. As Google’s Christiaan Brand explains via The Verge, this takes away the “shared secret”. Rather than both you and the service authenticating the account with the password you both know, FIDO2 lets Android users prove they are the authenticated user without the service knowing the “secret.” In this case, the all-too-common security breach won’t expose any of your data.
This functionality is already live in some apps, such as banking applications, but the new certification opens it up to everyone. That means other app developers can implement FIDO2 support into their Android apps, and browsers support the APIs as well.
With this news, any compatible device running Android 7.0+ is now FIDO2 Certified out of the box or after an automated Google Play Services update.
“Google has long worked with the FIDO Alliance and W3C to standardize FIDO2 protocols, which give any application the ability to move beyond password authentication while offering protection against phishing attacks. Today’s announcement of FIDO2 certification for Android helps move this initiative forward, giving our partners and developers a standardized way to access secure keystores across devices, both in market already as well as forthcoming models, in order to build convenient biometric controls for users,” said Christiaan Brand, Product Manager, Google.
Already supported in market by leading web browsers Google Chrome, Microsoft Edge, and Mozilla Firefox (with preview support by Apple Safari), FIDO2 is comprised of the World Wide Web Consortium’s (W3C) Web Authentication specification and the corresponding Client to Authenticator Protocol (CTAP) from FIDO Alliance. Collectively, these standards enable users to easily and securely login to online services with FIDO2-compliant devices such as fingerprint readers, cameras and/or FIDO security keys.
FIDO2’s simple user experiences are backed by strong cryptographic security that is transparent to the user and protects against phishing, man-in-the-middle and attacks using stolen credentials. FIDO2 support has been growing since the specifications were introduced last spring. In addition to browser and platform support, several FIDO2 Certified products have been announced to support implementation.