Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Support for FIDO2 Passwordless Authentication Added to Android

Android becomes FIDO2 Certified

Android becomes FIDO2 Certified

Google and FIDO Alliance on Monday announced that it is now easier for developers to provide passwordless authentication features for their Android websites and apps as a result of Android becoming FIDO2 Certified.

Security experts have long argued that relying only on passwords introduces significant risks and many even believe that passwords should be completely replaced with more secure authentication methods. The FIDO Alliance aims to address these problems by creating, promoting and certifying alternative authentication methods that are both highly secure and easy to use.

The FIDO2 Project comprises the W3C’s Web Authentication (WebAuthn) specification, which provides a standard web API that enables online services to use FIDO authentication, and the Client-to-Authenticator Protocol (CTAP), which enables devices such as FIDO security keys and smartphones to serve as authenticators via WebAuthn.

Now that Android has become FIDO2 Certified, it will be easier for developer to enable users to log into apps and websites using their Android device’s built-in fingerprint sensor and/or FIDO security keys.

The FIDO2 certification has been granted to devices running Android 7 and later. New devices will be certified out of the box, while existing devices will include FIDO2 support after an automated Google Play Services update. Since a Google Play Services update is used to roll out FIDO2 support, users will not have to wait on their device’s manufacturer to benefit from passwordless authentication capabilities.

The use of FIDO authentication, which can be implemented by developers via a simple API call, increases protection against phishing, man-in-the-middle (MitM) and other types of attacks.

“Google has long worked with the FIDO Alliance and W3C to standardize FIDO2 protocols, which give any application the ability to move beyond password authentication while offering protection against phishing attacks,” said Christiaan Brand, product manager at Google. “Today’s announcement of FIDO2 certification for Android helps move this initiative forward, giving our partners and developers a standardized way to access secure keystores across devices, both in market already as well as forthcoming models, in order to build convenient biometric controls for users.”

The FIDO Alliance provides information on what Android device manufacturers need to do in order to display the FIDO Certified logo on their products.

Advertisement. Scroll to continue reading.

Related: Why User Names and Passwords Are Not Enough

Related: Password Practices Still Poor, Google Says

Related: Facebook Offers FIDO-based Authentication Option

Related: Google Offers Added Account Protection With ‘Security Key’

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Funding/M&A

The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...