Android handsets running Android 7.0 Nougat or newer are now officially FIDO2 certified with either an update to Google Play Services or out-of-the-box, according to a new announcement made by the FIDO Alliance in conjunction with MWC 2019. That applies to most handsets launched in late 2016 or later and enables the built-in fingerprint sensor found in modern handsets or FIDO security keys to sign into websites or apps without a password.
The addition of support for websites that utilize passwordless secure sign-ins will likely be more impactful for Android users since many apps already allow fingerprint sign-in, such as banking apps. Regardless, the announcement also means that app developers should have an easier time adding fingerprint or FIDO key sign-in at the system level with the addition of a new API. So the functionality should become more widespread with official certification.
So what’s the difference?
The biggest change with the announcement of FIDO2 certification is that the feature standardizes passwordless, phishing-resistant security based on biometrics. The feature is also backed by extra encryption that remains transparent to end-users while ensuring additional protection against man-in-the-middle attacks and other cyber threats.
Google has been to be working with the FIDO Alliance to bring certification to Android since at least the beginning of last year. The authentification method has already been enabled in Chrome and other browsers since that time thanks to WebAuthn. That effectively defines a standard web API allowing the above-listed features directly via the web development side of things.
Which devices does this apply to and when is it coming?
Android 7.0 Nougat was revealed way back in mid-2016 and became the most widely-available version of Google’s mobile OS in early 2018. As of the search giant’s most recent figures, with measurements ending on October 26, 2018, just short of 50-percent of devices are operating on Android 7.0 Nougat or newer. That means that the majority of users and all users who buy a new device this year are going to see the new FIDO2 certification in action.
The specifics of exactly when end users on the mobile platform will see the changes, and more importantly the ‘where’, is still very much up in the air. To begin with, web and app developers will need to have incorporated the associated API for fingerprint-based password-free security to be activated within a given site or application. Because the method is standardized, it shouldn’t be too difficult to implement but that doesn’t mean it will be widely used or that widespread use will spread quickly.
No individual handset will necessarily see the certification update arrive quickly either. As with all such changes, FIDO2 certification is going to be delivered via a software update on older handsets — specifically, an update to Google Play Services. While it is more promising in terms of rollout speed that the update is to a system-level app instead of an OEM-specific app, it could still take weeks or even months to hit every supported handset. New devices will be certified out of the box.
All of that means that the change is going to be a bit uneven in its rollout and may not affect any given individual user depending on what services or apps they use and whether the developer has gotten on board with FIDO2.