Passwordless Login Comes to Android with FIDO2 Certification

On February 25, 2019, Google and FIDO Alliance announced at the World Mobile Congress that they have added support for FIDO2 standard for Android devices running Android Nougat and above. FIDO Alliance is an open industry consortium focused on developing authentication standards. FIDO has been working to change the traditional password and OTP-based authentication with more secure open standards.

What Is Passwordless Login?

Storing things securely—be it in the physical or digital world—has always been a challenge. In the physical world, we use a real key; in the digital world, the password acts as the key along with the username. With every service getting digitized, you have to create a separate account and a complex password for each. Managing multiple complex passwords is by no means easy. That’s where passwordless login comes to your rescue.

Google has been providing passwordless login for native Android apps. This allows users to securely log in to their accounts/apps using the phone’s fingerprint scanner or a hardware dongle device like Google’s Titan Security Key or YubiKey. FIDO2 extends this functionality to web services via mobile browsers. Since Android now has certified support for FIDO2 standard, a majority of devices running Android Nougat (Android 7) or higher can allow logins in websites and native mobile applications without typing a password.

With FIDO2 certification, logging in to web services would be as simple as unlocking your phone with your fingerprint. This will change everything from how you access your email, book your flight tickets, or log in to your bank’s portal.  

How Is Passwordless Login Implemented?

Depending on the need of the product/service, passwordless login can be implemented in different ways, by using a fingerprint scanner to physical security key devices or even by using a PIN or pattern in your device. Whatever method you use, it adds an extra layer of security against hacking or phishing attacks as it involves your participation in the authentication flow by scanning your fingerprint or by means of a security dongle, and so on.

FIDO-based passwordless login is built on top of public key cryptography using hardware devices like security keys, smartphones, etc. When a user registers an account using fingerprint or a secret PIN or some other security device, a public-private key pair is generated, which is unique for that service and user account. Only the public key is sent to the server, which will be associated with the user’s account for future user verification. The private-secret key and other information related to it rests with the user on their local device.

Consider a real-world scenario where you need to do a financial transaction from an app using your online bank account. You would have already registered with that bank using your fingerprint or some security device key. The app will ask your bank’s web service to authenticate you using FIDO2. Your bank’s web service will initiate an authentication challenge to the app and you will then authenticate with your fingerprint or security device key, which you used for registering with the bank. The app will generate a public key using your fingerprint or security device key and send that to the bank for verification. If this public key matches with the one that the bank had in their server, then the transaction is processed. Since this public key can only be created using your fingerprint or the security device key, a hacker will never be able to authenticate on your behalf.

Android, being open source, faces the challenge of supporting the latest features as different manufactures would implement Android in different ways. But with FIDO2 certification, manufacturers won’t have to make any changes as these standards/services will be available through Google Play Services. This means that most of the devices running Android N or higher can support FIDO2-based authentication on the go. Developers will have to integrate FIDO’s API in their apps for users to use these features.   

Is Passwordless Login Safe?

The answer is both a yes and a no—it depends on your implementation. When compared to traditional login, passwordless logins are much safer. Passwords are clumsy and need to be changed frequently to keep them secure. According to studies, 81% of data breaches are caused by the use of weak or default or stolen passwords.

Commonly used email/SMS based passwordless authentication has its own merits and demerits. Email-based authentication outsources security to your email account. If your email is compromised, it would allow a hacker to access every service/app associated with that account. SMS-based passwordless login can be more secure than email, but SMS can be intercepted even though it would require more sophisticated hacking. Also, delay in delivery of SMS can give rise to frustration in users.

Fingerprint scanner and security hardware devices provide more security and are easier to use as well. But relying on single-factor authentication is still risky. Digital experts warn that passwordless login being a single-factor authentication, it’s always better to use it in combination with some other authentication factor.

Write to us to implement safe passwordless login for your mobile sites.