On to policies now, the FIDO Alliance and Google launched the FIDO2 certificate at the Mobile World Congress that has been going on this week.
The FIDO(Fast Identity Online) Alliance is an association made up of a couple of tech giants including Google, Microsoft, Facebook, GitHub, eBay, Dropbox among others that work on and help define passwordless authentication standards to provide interoperable mechanisms that are far more secure and easier to use than passwords from biometrics such as fingerprints and facial scans to 2-factor authentication devices.
They have been working on FIDO2 certification for the past couple of years and as of yesterday’s announcement, the FIDO Alliance and Google took a giant leap to bring that passwordless life closer to reality on Android.
Passwords are flawed as they are relatively insecure, inconvenient and forgettable even with 2-factor authentication. Passwords work like this – both the user and the service they’re connected to had a secret key stored on their servers and on the user’s device so that during logging in, the user’s password is sent to the servers, encrypted and cross-checked with the stored key. If they match, you gain access to your account. The vulnerability of this method is that the key is stored in two locations increasing the chances of being hacked.
The main FIDO approach is a personal device such as a smartphone or a token that uses a set of cryptographic keys to securely access FIDO-enabled services such as Microsoft, Paypal or Google. FIDO authentication data is never stored with the service which will protect your privacy and shield your login credentials from would-be hackers.
The users will no longer have to be torn between better security or better user experience – you get both since over 400 services have been certified by the alliance.
What the FIDO2 method does is that it stores the authentication key in your device only and in offline conditions making it secure, reliable and more convenient for you. WebAuthn integration goes ahead to enhance the protection of your account.
FIDO2 certification is now available for Android 7.0 Noughat devices meaning that they will now be able to handle password-less logins in mobile browsers such as Google’s Chrome. Some Android apps had already integrated the FIDO approach to authenticating using face unlock, fingerprint sensor or a dongle such as the YubiKey.
The certification means that now web and app developers can use FIDOAPI’s to seamlessly offer universal password-less logins for the mobile browser and the web.
To fasten this adoption, Google is pushing this approach via Google Play Services so that it reaches most devices running Android 7.0 Noughat without smartphone manufacturers needing to play around with it so that it gets to the most number of users.