It's more important than ever to manage your passwords online, but also harder to keep up with. That's a bad combination. So the FIDO Alliance—a consortium that develops open source authentication standards—has pushed to expand its secure login protocols to make seamless logins a reality. Now Android's on board, which means a billion devices can say goodbye to passwords in more digital services than ever.
On Monday, Google and the FIDO Alliance announced that Android has added certified support for the FIDO2 standard, meaning that the vast majority of devices running Android 7 or later will now be able to handle password-less logins in mobile browsers like Chrome. Android already offered secure FIDO login options for mobile apps, where you authenticate using a phone's fingerprint scanner or with a hardware dongle like a YubiKey. But FIDO2 support will make it possible to use these easy authentication steps for web services in a mobile browser instead of laboriously typing in your password every time you want to log in. Web developers can now design their sites to interact with Android's FIDO2 management infrastructure.
"Google got involved in FIDO quite some ways back, particularly because of phishing, which we think is one of the biggest issues of authentication on the web today," says Christiaan Brand, a product manager at Google focused on identity and security. "The natural evolution was looking toward FIDO2. Customers are already used to using these sensors on the device for authenticating into applications every day, so how do we make that technology available to websites?"
Developers can implements FIDO2 authentication in a number of different variations depending on what makes sense for their product, but all the versions offer additional phishing protection by requiring user participation during sign-in (like doing a fingerprint scan or producing a dongle) so attackers can't get as far with usernames and passwords alone.
FIDO2 and a related standard, WebAuthn, created by the FIDO Alliance and the World Wide Web Consortium, have gained ubiquity through adoption by all the major browsers—except Safari, though Apple has hinted it will add support—and platforms like Microsoft account sign-in. But Android represents a big step, because it will enable a major subset of mobile developers to start offering universal password-less login. Google's Brand points out that under FIDO2, developers will even be able to streamline their mobile browser and local app sign-in infrastructure so a user can set up password-less login on the web, and have that same easy authentication step carry over to the service's app or vice versa.
"We got to the point where it was implemented in browsers, but now we’re seeing FIDO technology sedimented in an even broader user base," says Andrew Shikiar, chief marketing officer of the FIDO Alliance.
The WIRED Guide to Data Breaches
Since Android is open source and can be deployed by device manufacturers in all different ways, the platform has issues keeping the global population of devices up to date with the latest operating system and features. But Brand says that Google is releasing the FIDO2 update through a mechanism called Google Play Services that will allow it to reach almost all devices running Android 7 or later without manufacturers needing to do or adapt anything. This means that the update will actually be able to get to most of Android's massive user base.
Though FIDO2 support will allow Android to accept secure web logins using dongles, NFC, and Bluetooth, Google is envisioning fingerprint authentication as the easiest approach, and the one that is likely to become most popular with users. And both Google and the FIDO Alliance emphasize that in all of this, your fingerprint data is still always stored locally on your device and isn't sent anywhere else or held by any other party. The sensor creates a cryptographic signature from your fingerprint data that is then used in FIDO2's authentication scheme.
"Providing the FIDO2 option gives really strong identity protection for account holders," says Kenn White, director of the Open Crypto Audit Project. "You and I might be fooled by 'paypa1.com,' but a FIDO key won’t be. Among the security community, WebAuthn, which FIDO2 intersects with, is considered one of the strongest account protections there is."
Though FIDO2 promises a much easier web security experience for users, it will take time to achieve adoption anywhere near as universal as traditional passwords schemes. And digital identity experts warn that any single credential, no matter how robust, is always more secure when paired with a strategic second authentication factor. Unfortunately, even in a glorious utopia free of passwords, there’s never a magic bullet for account security.
- The Hyundai Nexo is a gas to drive—and a pain to fuel
- ATM hacking has gotten so easy, the malware's a game
- The best backpacks—for every kind of workplace
- The devastating allure of medical miracles
- Your boring, everyday life belongs on social media
- 👀 Looking for the latest gadgets? Check out our latest buying guides and best deals all year round
- 📩 Want more? Sign up for our daily newsletter and never miss our latest and greatest stories
So the original design of Chrome had two big pieces: auto-updates to make sure you always had the most updated version, and the Chrome sandbox to make sure that if there was a vulnerability that could be exploited we could confine that within the sandbox."'I will be very, very upset if three to five years from now password phishing is still something that we don’t feel we’ve largely solved.'Justin Schuh, Chrome EngineerThese features that set Chrome apart in 2008 are now an industry standard, but at the time Google received criticism for its new browser's big bets.