Android brings FIDO2 certification to 1 billion devices

Android took the first step toward a world without passwords by receiving FIDO2 certification on versions 7.0 and higher.

The FIDO Alliance announced the certification, which will allow users to log into websites and apps using a device's fingerprint sensor or a FIDO-capable security key. Android versions 7.0 Nougat and higher received FIDO2 certification. Although these versions make up only about 50% of the Android ecosystem, that still adds up to more than 1 billion devices.

"Web and app developers can now add FIDO strong authentication to their Android apps and websites through a simple API call, to bring passwordless, phishing-resistant security to a rapidly expanding base of end users who already have leading Android devices and/or will upgrade to new devices in the future," the FIDO Alliance wrote in a press release.

FIDO2 is made up of two parts: the WebAuthn API specification developed by the World Wide Web Consortium and the Client to Authenticator Protocol developed by the FIDO Alliance. Mark Risher, head of account security at Google, recently told us that these authentication protocols are "game changers," because they remove the "burden of responsibility" from the user.

Support for FIDO2 authentication was pushed out through Google Play services, which delivers an automatic update to all Android devices running the Google app suite. A Google spokesperson confirmed that Chrome for Android version 72, which began rolling out in late January, includes support for FIDO2.

It is unclear if other Android browsers, like the Samsung browser or Mozilla Firefox, support FIDO2 or have plans to add support.

With Android receiving FIDO2 certification and Chrome updated, Andrew Shikiar, chief marketing officer for FIDO Alliance, based in Wakefield, Mass., said the last piece needed would be for websites or apps to support the authentication API call.

"Websites do need to do more than just update the JavaScript on their login pages. They also need to build support for FIDO2 into their authentication infrastructure so they can process the new standard messages that the web browser will pass between the user's device and the website's server," Shikiar said. "The good news is that our growing list of FIDO-Certified server solution providers have added FIDO2 support to their products to assist."

Shikiar noted that FIDO2 was only introduced in April 2018, and "the past nine months [have] been spent getting infrastructure in place for websites to roll this out."

"We've already seen some marquee FIDO2 deployments from groups such as Microsoft, Login.gov -- in the U.S. -- and Yahoo Japan. And we're aware of many other leading brands who are actively working on their own FIDO2 implementations," Shikiar said.

"To date, we have support across all major [desktop] web browsers, as well as strong embrace and integration by Microsoft into Windows 10 and related platform technologies. Today's news also brings the massive Android ecosystem into play -- with over 1 billion Android 7.0+ handsets that can be addressed by websites supporting FIDO Authentication," he continued. "With this, we believe the stage is now set for broad adoption."