Regain Your Privacy

Google Android is rolling out passwordless website and app access based on FIDO2

Google has begun rolling out passwordless website and app access based on FIDO2 standards,  W3C WebAuthn and FIDO CTAP.In this post,we checkout what is FIDO & how it enables passwordless website and app access.

FIDO2 (Fast Identity Online Alliance) allows the same credentials be used by both native apps and web services.This means that a user only has to register their fingerprint with a service once and then the fingerprint will work for both the native application and the web service.Also note, your fingerprint is never sent to Google’s servers, it is securely stored on your device, and only a cryptographic proof that you’ve correctly scanned is sent to Google’s servers.

Image – Businesses have a password problem / FIDO Alliance

What is FIDO ?

FIDO Alliance is based on free and open standards, FIDO Authentication enables password-only logins to be replaced with secure and fast login experiences across websites and apps.FIDO protocols use standard public key cryptography to provide stronger authentication. During registration with an online service, the user’s client device creates a new key pair. It retains the private key and registers the public key with the online service. Authentication is done by the client device proving possession of the private key to the service by signing a challenge.

The client’s private keys can be used only after they are unlocked locally on the device by the user. The local unlock is accomplished by a user–friendly and secure action such as swiping a finger, entering a PIN, speaking into a microphone, inserting a second–factor device or pressing a button.

Image – FIDO Login Process

FIDO Login Process

  1. FIDO approved service challenges the user to login with a previously registered device that matches the service’s acceptance policy.
  2. User unlocks the FIDO authenticator using the same method as done during Registration.
  3. Device then uses the user’s account identifier provided by the service to select the correct key and sign the service’s challenge.
  4. Client device sends the signed challenge back to the service, which verifies it with the stored public key and logs in the user.

Web Authentication Flow

Image – Web Authentication Flow

In order to use WebAuthn, the user needs an external security device (like a FIDO 2 security key) or internal authenticators (like fingerprint readers, or facial recognition).

Google is using the FIDO2 capability on Android to register a platform-bound FIDO credential. When the user visits a compatible service, such as passwords.google.com, Google issues a WebAuthn “Get” call, passing in the credentialId that is got when creating the credential. The result is a valid FIDO2 signature.

Image – High-level architecture of FIDO based authentication

FIDO verifies your identity by using your fingerprint or screen lock instead of a password when visiting certain Google services. This feature is being rolled out starting Aug 12th 2019 on Pixel devices and coming to all Android 7+ devices over the next few days.

Image – FIDO based login

To try it out right now, go to passwords.google.com, choose a site to view or manage a saved password, and follow the instructions to confirm your identity.

For additional security, use two-step verification with hardware keys like the ones below

Additional Resources

Like this post? Don’t forget to share it!

Summary
Article Name
Google Android is rolling out passwordless website and app access based on FIDO2
Description
FIDO Alliance is based on free and open standards, FIDO Authentication enables password-only logins to be replaced with secure and fast login experiences across websites and apps.
Author
Publisher Name
Upnxtblog
Publisher Logo
Karthik

Allo! My name is Karthik,experienced IT professional.Upnxtblog covers key technology trends that impacts technology industry.This includes Cloud computing,Blockchain,Machine learning & AI,Best mobile apps, Best tools/open source libs etc.,I hope you would love it and you can be sure that each post is fantastic and will be worth your time.

Share
Published by
Karthik
Tags: FIDO2

Recent Posts

How to Secure Your WordPress Hosting by Upgrading Your Login URL

Of course, every site has different needs. In the end, however, there is one aspect…

1 day ago

Social Media Marketing: A Key to Business Success with Easy Digital Life

In today's digital-first world, businesses must adopt effective strategies to stay competitive. Social media marketing…

3 days ago

Best 7 AI Tools Every UI/UX Designer Should Know About

62% of UX designers now use AI to enhance their workflows. Artificial intelligence (AI) rapidly…

5 days ago

How AI Enhances Photoshop Workflow: A Beginner’s Guide

The integration of artificial intelligence into graphic design through tools like Adobe Photoshop can save…

3 weeks ago

The Rise Of Crypto Trading Bots: A New Era In Digital Trading

The cryptocurrency trading world has grown significantly in recent years, with automation playing a key…

4 weeks ago

Real-World Insights on White-Label NFT Marketplace Development

The non-fungible token (NFT) market has witnessed explosive growth over the past few years, transforming…

4 weeks ago

This website uses cookies.