The FIDO Alliance hammered another nail into the passwords coffin on Monday with the announcement that devices running Android 7.0 or higher will be compatible with FIDO2, the latest version of its authentication solution.
Certification of Android 7.0+ means devices running those versions of Google’s mobile operating system will support FIDO2 out of the box or through a software update.
FIDO2, introduced last year, provides a FIDO Web authentication standard that combines the World Wide Web Consortium’s Web Authentication specification with FIDO’s Client-to-Authenticator protocol. With it, devices gain secure access to online services in both mobile and desktop environments.
Expanding FIDO2 to the Android world allows Web and application developers to add strong authentication to their apps and websites through a simple API call, delivering passwordless, phishing-resistant security to their users.
“Google has long worked with the FIDO Alliance and W3C to standardize FIDO2 protocols, which give any application the ability to move beyond password authentication while offering protection against phishing attacks,” said Google Product Manager Christiaan Brand.
“Today’s announcement of FIDO2 certification for Android helps move this initiative forward, giving our partners and developers a standardized way to access secure keystores across devices, both in market already as well as forthcoming models, in order to build convenient biometric controls for users,” he added.
Stage Set for Providers
Since FIDO2 was introduced, it has gained support from all the major Web browsers, as well Microsoft, which has integrated it into Windows 10, noted Andrew Shikiar, chief marketing officer of the Mountain View, California-based FIDO Alliance.
Now the massive Android ecosystem is in play, he added, with more than 1 billion Android 7.0+ handsets that can be addressed by websites supporting FIDO authentication.
“Simply put, the stage is now set for developers and service providers to add standards-based FIDO2 authentication into their websites and apps,” he told BlueHillco, “knowing in full confidence that a large swath of their consumers will be able to take advantage of FIDO’s approach towards simpler, stronger authentication.”
FIDO is trying the solve the world’s password problem, said Brian Jenkins, vice president for product at StrongKey, a cryptographic key management company in Sunnyvale, California.
“Passwords are the root cause of over 80 percent of data breaches,” he told BlueHillco. “They’re reused often for multiple online accounts, and they’re costly to maintain. FIDO is a significant step toward a future that is passwordless.”
Key Is Cryptography
A significant benefit of FIDO is that it helps companies move beyond their dependency on shared secrets, which results in centralized repositories of authentication credentials, and toward a public key cryptography approach, FIDO’s Shikiar observed.
“When passwords are stored on central servers, those servers become a nice attack target,” said Rolf Lindemann, senior director for products and technology at Nok Nok Labs, an authentication solutions company in Palo Alto, California.
“Billions of passwords have been stolen from servers already,” he told BlueHillco.
With the public key cryptography approach, the user’s authentication credentials remain with the user’s device, and the server retains only the corresponding public key, Shikiar explained.
“This not only helps protect the user’s privacy, but also begins to de-risk the authentication process for the service provider,” he noted. “In the unfortunate occurrence of a data breach, they no longer need to worry about credential theft, which protects their customers and also helps stop the scourge of credential stuffing.”
Credential stuffing occurs when credentials stolen from one site are used to compromise accounts on other sites because the credentials have been used by their owner on multiple sites.
“One of the keys to FIDO is not just the end user not having to remember passwords, but removing the onus on an app creator or service provider to store them,” said StrongKey’s Jenkins.
Android certification by FIDO will be good news for many businesses, noted Terence Jackson, CISO of Thycotic, a maker of privileged password management software in Washington, D.C.
“With the proliferation of BYOD, this is also a win for businesses that want to ensure employees are using strong passwords on their personal devices as well,” he told BlueHillco.
“Consumers with compatible devices can now use stronger passwords as a whole without the obstacle of having to enter long strings on their mobile devices, which has historically been a barrier to stronger password use,” Jackson explained.
A major challenge to FIDO has been consumer education, he added.
“FIDO is an effective way for consumers and businesses to protect access to their devices and services in a more frictionless manner than the traditional password, but consumers are not ready to say goodbye to the password just yet,” Jackson said.
Education will be a major part of FIDO’s efforts this year, Shikiar noted.
“In 2019, FIDO will be taking added steps to help facilitate adoption by providing pertinent resources to developers, and by working with our extensive vendor community to educate the market at large on the benefits of FIDO authentication,” he said.
Passwords Passing On
Last year was a seminal year for FIDO adoption, Shikiar noted, with not only the release of FIDO2 but also its incorporation into leading browsers and platforms — all within an eight-month period.
“With the addition of Android support, the stage is set for widespread adoption,” he said.”Our challenge now is on the other half of the supply/demand equation: getting service providers to deploy FIDO Authentication at scale.”
Will passwords ever disappear?
“There is a significant desire to phase out passwords, as everyone is now realizing that all passwords have been stolen — even those yet to be created,” said Shahrokh Shahidzadeh, CEO of Acceptto, a Portland, Oregon, cybersecurity startup focused on cognitive authentication.
“However, the move to eliminate them or even reduce dependency is still just in its infancy,” he told BlueHillco.
“I think the real question here is when can businesses stop relying on the shared secret approach for user authentication,” Shikiar added. “Not just passwords, but also things like one-time-passwords, which are still shared secrets, albeit with a much shorter shelf-life and susceptible to replay attack and other mechanisms for account takeover.”
That question will be answered soon, he suggested, because the platforms and tools are now being put into place to make it easier for businesses to provide cryptographically-backed, decentralized authentication, instead of maintaining the traditional approach of centralized password-based authentication.