On Monday, Google and the FIDO Alliance announced that Android has added certified support for the FIDO2 standard, meaning the vast majority of devices running Android 7 or later will now be able to handle password-less logins in mobile browsers like Chrome. Android already offered secure FIDO login options for mobile apps, where you authenticate using a phone’s fingerprint scanner or with a hardware dongle like a YubiKey. But FIDO2 support will make it possible to use these easy authentication steps for web services in a mobile browser, instead of having the tedious task of typing in your password every time you want to log in to an account. Web developers can now design their sites to interact with Android’s FIDO2 management infrastructure.
Good move.
More about fido authentication…
https://fidoalliance.org/technical-principles-of-fido-authentication/
I commend the effort for being a solution to a real & frustrating problem for many users. However biometrics aren’t really that infallible and I worry that as we increasingly rely on them for security, the probability of hackers dumping biometric data in black market sales will also increase. Once biometric data gets leaked, unlike passwords they cannot be trivially regenerated, the loss of bio-metric data is permanent.
Sometimes “fingerprint hashes” are considered as a way to mitigate biometric data leaks, however one’s actual fingerprints aren’t terribly secure to begin with. If a phone is stolen, the fingerprint to unlock it (and FIDO authentication) could easily be on the phone itself. Also the assumption that one way hashes are unbreakable doesn’t really hold given a finite search space that can be brute forced. Just as simple passwords can be reversed using moderate resources, so too can fingerprints. It wouldn’t surprise me at all for someone in the future to generate fingerprint “rainbow tables” similar to those used to quickly crack passwords. At least in terms of the Fido protocol, your fingerprint data remains on your phone and doesn’t go to the service. This means that a compromised service provider won’t be able to leak your biometrics, hashed or not. So they got that right!
I oppose bank account security becoming overly reliant on biometrics, but it’s probably good enough for things like trivial website logins. Concerns about biometrics aside, fido authentication offers the potential to bring a new level of simplicity for identifying oneself to 3rd parties across the internet, so it seems like a good thing overall (*).
* The law of unintended consequences may mean that as a result of this simplicity, future websites may expect & require users to register & identify themselves to enter a website. Given that it’s just a swipe of the finger, many users would comply. In the event that such a trend becomes the norm, I hereby coin the term identity-wall akin to the pay-walls of today.
“At least in terms of the Fido protocol, your fingerprint data remains on your phone and doesn’t go to the service. This means that a compromised service provider won’t be able to leak your biometrics, hashed or not. So they got that right!”
As I understand it (from the earlier versions of the protocol from years back), the webauthn basically just uses a key-pair (certificate), so in theory you can use any way get the OS to talk to the browser to talk to the server. It’s just that the OS does a check to see if the browser is allowed to send the authentication response (with the key-pair stored by the OS (could be stored in separate ‘secure’ phone hardware)). They just used finger prints to allow it, as you mentioned it’s only checked by the OS.
A big step forward indeed.
My biggest worry is: people will forget to set up 2 devices or ways to get access to a website, etc. and will be locked out when they dropped their phone in the toilet.
I do wonder did they fix all the issues ?:
https://www.zdnet.com/article/worries-arise-about-security-of-new-webauthn-protocol/
+1 for Yubikey, I use it on this site and for my email. It can’t be easier. I wish my company would be using it instead of my phone to authenticate