Mobile apps and websites can now use Fido standards to provide a simpler and secure biometric login for users on more than a billion devices supporting Android 7.0+, according to the Fido (Fast IDentity Online) Alliance, a consortium of tech industry partners, including Amazon, Facebook, Google, Microsoft and Intel, that are working together to establish standards for strong authentication.
Android is now certified under the Fido2 project, which is a set of interlocking initiatives that together create a Fido authentication standard for the web and greatly expands the Fido ecosystem.
Fido2 is made up of the World Wide Web Consortium’s (W3C) Web Authentication specification (WebAuthn) and Fido’s corresponding Client-to-Authenticator Protocol (CTAP), which collectively enable common Fido2-compliant devices to authenticate easily to online services in both mobile and desktop environments.
The certification means that any compatible device running Android 7.0+ is now Fido2 certified out of the box or after an automated Google Play Services update. This enables Android device owners to use their device’s built-in fingerprint sensor and/or Fido security keys for secure passwordless access to websites and native applications that support the Fido2 protocols.
The Fido Alliance said web and app developers can now add Fido strong authentication to their Android apps and websites through a simple application programming interface (API) call, to bring passwordless, phishing-resistant security to Android users.
Christiaan Brand, product manager at Google, said the company has working with the Fido Alliance and W3C to standardise Fido2 protocols.
“These give any application the ability to move beyond password authentication while offering protection against phishing attacks,” he said.
“Today’s announcement of Fido2 certification for Android helps move this initiative forward, giving our partners and developers a standardised way to access secure keystores across devices, both in market already as well as forthcoming models, in order to build convenient biometric controls for users.”
Read more about the Fido Alliance
- The time has come for organisations to deploy cryptographically backed strong authentication, according to the Fido Alliance.
- Fido Alliance launches authentication standards certification.
- The Fido Alliance has published the final technical specification of its password-killing authentication standards.
- Facebook ups security with Fido U2F two-factor authentication.
Brett McDowell, executive director of the Fido Alliance, said Fido2 was designed from the very start to be implemented by platforms, with the ultimate goal of ubiquity across all the web browsers, devices and services we use every day.
“With this news from Google, the number of users with Fido authentication capabilities has grown dramatically and decisively,” he said. “Together with the leading web browsers that are already Fido2-compliant, now is the time for website developers to free their users from the risk and hassle of passwords and integrate Fido authentication.”
The Fido Alliance said Fido2 support has been growing since the specifications were introduced. In addition to browser and platform support, several Fido2-certified products have been announced to support implementation.
Device manufacturers interested in taking advantage of out-of-the-box certification and displaying the Fido certified logo on their Android devices should consult the Fido Alliance’s new trademark and service mark usage agreement, the industry consortium said.