Your future Android phone, apps will need no password

FIDO2 certification is paving the way for passwordless mobile security.
Written by Charlie Osborne, Contributing Writer

You keep hearing the warnings: use unique, strong, complex and lengthy passwords for each of your online accounts -- and, of course, make sure you don't forget them.
It is a trifle for many threat actors to brute-force simple and easy-to-remember passwords which are in constant circulation, and as companies now often enforce strong password policies and two-factor authentication (2FA), password management can be difficult to keep up with without the help of dedicated password managers (some, of which, have recently been found to be rather less secure than we would like).
What if, then, passwords were completely removed in favor of something else?

On Monday at Mobile World Congress (MWC) 2019 in Barcelona, Google and the FIDO Alliance outlined what such a future may look like for Android users.

Together, the organizations revealed that the Android operating system is now FIDO2 certified, which means that passwords could one day be fully eradicated in the mobile ecosystem.

The FIDO Alliance is an open industry association which focuses on bringing down our reliance on passwords. Made up of companies including Amazon, Arm, Google, Intel, Lenovo, and Microsoft, among many others, the organization is also the creator of specifications for improved authentication standards.   

Among these standards are FIDO Universal Second Factor (FIDO U2F), FIDO Universal Authentication Framework (FIDO UAF) and FIDO2, which implements the W3C's Web Authentication (WebAuthn) specification and the FIDO Client to Authenticator Protocol (CTAP).

FIDO2-enabled devices permit users to log in to online services and apps through FIDO security keys -- such as YubiKey -- or biometrics including fingerprint readers and cameras, all of which are backed by cryptographic security.

See also: Fake Google reCAPTCHA used to hide Android banking malware 

This can not only prevent eavesdropping and Man-in-The-Middle (MiTM) attacks but also remove what is often a weak point in online security services -- the possibility of passwords being brute-force attacked.

Now that Android is FIDO2 certified, this paves the way for over a billion devices to implement passwordless authentication standards as long as they are operating on Android version 7.0 or above.

Android app and web developers can now add FIDO authentication to their software through an API call, which the companies say will bring "passwordless, phishing-resistant security to a rapidly expanding base of end users who already have leading Android devices and/or will upgrade to new devices in the future."

It could be possible, for example, to implement a simple sign-on in a browser-based service and potentially carry on this authentication to access an accompanying Android mobile device without the need to validate a user multiple times.

TechRepublic: 5 workplace technologies that cause the most employee data breaches

"Google has long worked with the FIDO Alliance and W3C to standardize FIDO2 protocols, which give any application the ability to move beyond password authentication while offering protection against phishing attacks," said Christiaan Brand, Product Manager at Google. "Today's announcement of FIDO2 certification for Android helps move this initiative forward, giving our partners and developers a standardized way to access secure keystores across devices, both in market already as well as forthcoming models, in order to build convenient biometric controls for users."

While a number of browsers including Google Chrome, Microsoft Edge, and Mozilla Firefox -- with Apple's Safari browser included as a preview and a potential future rollout -- already support the system, the shift to a mobile ecosystem which caters to users in the billions represents what could be a radical change for what we consider basic online security.

CNET: Microsoft says Russian hackers targeted European researchers

With so many of us still using terribly easy-to-crack passwords and automated hacking tools making brute-force attacks a breeze, passwordless, strong authentication which relies on authenticity cues which may be far more difficult to break can only be of benefit to online users. It simply remains to be seen how many developers adopt the standard. 

How to discover and destroy spyware on your smartphone (in pictures)

Previous and related coverage

Editorial standards