Google Android is rolling out passwordless website and app access based on FIDO2

Google has begun rolling out passwordless website and app access based on FIDO2 standards,  W3C WebAuthn and FIDO CTAP.In this post,we checkout what is FIDO & how it enables passwordless website and app access.

FIDO2 (Fast Identity Online Alliance) allows the same credentials be used by both native apps and web services.This means that a user only has to register their fingerprint with a service once and then the fingerprint will work for both the native application and the web service.Also note, your fingerprint is never sent to Google’s servers, it is securely stored on your device, and only a cryptographic proof that you’ve correctly scanned is sent to Google’s servers.

What is FIDO ?

FIDO Alliance is based on free and open standards, FIDO Authentication enables password-only logins to be replaced with secure and fast login experiences across websites and apps.FIDO protocols use standard public key cryptography to provide stronger authentication. During registration with an online service, the user’s client device creates a new key pair. It retains the private key and registers the public key with the online service. Authentication is done by the client device proving possession of the private key to the service by signing a challenge.

The client’s private keys can be used only after they are unlocked locally on the device by the user. The local unlock is accomplished by a user–friendly and secure action such as swiping a finger, entering a PIN, speaking into a microphone, inserting a second–factor device or pressing a button.

FIDO Login Process

1. FIDO approved service challenges the user to login with a previously registered device that matches the service’s acceptance policy.
2. User unlocks the FIDO authenticator using the same method as done during Registration.
3. Device then uses the user’s account identifier provided by the service to select the correct key and sign the service’s challenge.
4. Client device sends the signed challenge back to the service, which verifies it with the stored public key and logs in the user.

Web Authentication Flow

In order to use WebAuthn, the user needs an external security device (like a FIDO 2 security key) or internal authenticators (like fingerprint readers, or facial recognition).

Google is using the FIDO2 capability on Android to register a platform-bound FIDO credential. When the user visits a compatible service, such as passwords.google.com, Google issues a WebAuthn “Get” call, passing in the credentialId that is got when creating the credential. The result is a valid FIDO2 signature.

FIDO verifies your identity by using your fingerprint or screen lock instead of a password when visiting certain Google services. This feature is being rolled out starting Aug 12th 2019 on Pixel devices and coming to all Android 7+ devices over the next few days.

To try it out right now, go to passwords.google.com, choose a site to view or manage a saved password, and follow the instructions to confirm your identity.

For additional security, use two-step verification with hardware keys like the ones below

• Yubico Security Key – U2F and FIDO2, USB-A, Two-Factor Authentication
• Yubico – Security Key NFC – USB-A – Two Factor Authentication Security Key
• FIDO U2F Security Key

Additional Resources

• Fast Identity Online Alliance Privacy principles
• How to enable 2-Step Verification on your Gmail account
• 10 steps to stay secure in digital world
• 9 Chrome Extensions to protect your online privacy
• BEST Chrome extensions for creating disposable email addresses
• IT Fundamentals for Cybersecurity Specialization from IBM

Like this post? Don’t forget to share it!