On Monday, Google and the FIDO Alliance announced that Android has added certified support for the FIDO2 standard, meaning the vast majority of devices running Android 7 or later will now be able to handle password-less logins in mobile browsers like Chrome. Android already offered secure FIDO login options for mobile apps, where you authenticate using a phone’s fingerprint scanner or with a hardware dongle like a YubiKey. But FIDO2 support will make it possible to use these easy authentication steps for web services in a mobile browser, instead of having the tedious task of typing in your password every time you want to log in to an account. Web developers can now design their sites to interact with Android’s FIDO2 management infrastructure.
More about fido authentication…
I commend the effort for being a solution to a real & frustrating problem for many users. However biometrics aren’t really that infallible and I worry that as we increasingly rely on them for security, the probability of hackers dumping biometric data in black market sales will also increase. Once biometric data gets leaked, unlike passwords they cannot be trivially regenerated, the loss of bio-metric data is permanent.
Sometimes “fingerprint hashes” are considered as a way to mitigate biometric data leaks, however one’s actual fingerprints aren’t terribly secure to begin with. If a phone is stolen, the fingerprint to unlock it (and FIDO authentication) could easily be on the phone itself. Also the assumption that one way hashes are unbreakable doesn’t really hold given a finite search space that can be brute forced. Just as simple passwords can be reversed using moderate resources, so too can fingerprints. It wouldn’t surprise me at all for someone in the future to generate fingerprint “rainbow tables” similar to those used to quickly crack passwords. At least in terms of the Fido protocol, your fingerprint data remains on your phone and doesn’t go to the service. This means that a compromised service provider won’t be able to leak your biometrics, hashed or not. So they got that right!
I oppose bank account security becoming overly reliant on biometrics, but it’s probably good enough for things like trivial website logins. Concerns about biometrics aside, fido authentication offers the potential to bring a new level of simplicity for identifying oneself to 3rd parties across the internet, so it seems like a good thing overall (*).
* The law of unintended consequences may mean that as a result of this simplicity, future websites may expect & require users to register & identify themselves to enter a website. Given that it’s just a swipe of the finger, many users would comply. In the event that such a trend becomes the norm, I hereby coin the term identity-wall akin to the pay-walls of today.