Google Adopts Open-Source, Secure Password-Less Logins

The FIDO Alliance, a consortium for open source authentication standards, is trying to make passwords obsolete, expanding its secure login protocols. Its efforts were boosted by Google’s announcement that it added certified support for the FIDO2 standard, impacting the vast majority of devices running Android 7 or later. That means owners of these Android 7-based devices should be able to log in seamlessly without passwords on mobile browsers such as Chrome. Websites can now be designed to interact with FIDO2 management.

Wired reports that, “Android already offered secure FIDO login options for mobile apps, where you authenticate using a phone’s fingerprint scanner or with a hardware dongle like a YubiKey … but FIDO2 support will make it possible to use these easy authentication steps for web services in a mobile browser” rather than typing in your password to login to an account.

“Google got involved in FIDO quite some ways back, particularly because of phishing, which we think is one of the biggest issues of authentication on the web today,” said Google product manager Christiaan Brand, who focuses on identity and security. “The natural evolution was looking toward FIDO2.”

All variations of FIDO2 authentication “offer additional phishing protection by requiring user participation during sign-in (like doing a fingerprint scan or producing a dongle) so attackers can’t get as far with usernames and passwords alone.” Previously, FIDO2 and related standard WebAuthn “gained ubiquity through adoption by all the major browsers” — except Safari — although “Apple has hinted it will add support.”

Google’s buy-in “represents a big step, because it will enable a major subset of mobile developers to start offering universal password-less logins.” “We got to the point where it was implemented in browsers, but now we’re seeing FIDO technology sedimented in an even broader user base,” said FIDO Alliance chief marketing officer Andrew Shikiar.

Google plans to release the FIDO2 update via Google Play Services, “without manufacturers needing to do or adapt anything,” meaning “the update will actually be able to get to most of Android’s massive user base.” Although dongles, NFC and Bluetooth can be used for secure logins, “Google is envisioning fingerprint authentication as the easiest approach, and the one that is likely to become most popular with users.”

Open Crypto Audit Project director Kenn White lauded the FIDO2 option as “really strong identity protection for account holders.”