FIDO2 certification is paving the way for passwordless mobile security.
This article originally appeared on ZDNet.
You keep hearing the warnings: use unique, strong, complex and lengthy passwords for each of your online accounts — and, of course, make sure you don't forget them. It is a trifle for many threat actors to brute-force simple and easy-to-remember passwords which are in constant circulation, and as companies now often enforce strong password policies and two-factor authentication (2FA), password management can be difficult to keep up with without the help of dedicated password managers (some, of which, have recently been found to be rather less secure than we would like). What if, then, passwords were completely removed in favor of something else?
SEE: Password Policy (Tech Pro Research)
Together, the organizations revealed that the Android operating system is now FIDO2 certified, which means that passwords could one day be fully eradicated in the mobile ecosystem.
The FIDO Alliance is an open industry association which focuses on bringing down our reliance on passwords. Made up of companies including Amazon, Arm, Google, Intel, Lenovo, and Microsoft, among many others, the organization is also the creator of specifications for improved authentication standards.
Among these standards are FIDO Universal Second Factor (FIDO U2F), FIDO Universal Authentication Framework (FIDO UAF) and FIDO2, which implements the W3C's Web Authentication (WebAuthn) specification and the FIDO Client to Authenticator Protocol (CTAP).
FIDO2-enabled devices permit users to log in to online services and apps through FIDO security keys — such as YubiKey — or biometrics including fingerprint readers and cameras, all of which are backed by cryptographic security.
How an APC Smart-UPS Lithium-Ion UPS Battery Can Significantly Cut Your TCOLi-ion batteries offer several advantages vs. VRLA including far longer life expectancy, greater capacity and less weight. Take a deeper dive into how to yield these cost savings.Sponsored by Schneider Electric
This can not only prevent eavesdropping and Man-in-The-Middle (MiTM) attacks but also remove what is often a weak point in online security services — the possibility of passwords being brute-force attacked.
Now that Android is FIDO2 certified, this paves the way for over a billion devices to implement passwordless authentication standards as long as they are operating on Android version 7.0 or above.
Android app and web developers can now add FIDO authentication to their software through an API call, which the companies say will bring "passwordless, phishing-resistant security to a rapidly expanding base of end users who already have leading Android devices and/or will upgrade to new devices in the future."
It could be possible, for example, to implement a simple sign-on in a browser-based service and potentially carry on this authentication to access an accompanying Android mobile device without the need to validate a user multiple times.
"Google has long worked with the FIDO Alliance and W3C to standardize FIDO2 protocols, which give any application the ability to move beyond password authentication while offering protection against phishing attacks," said Christiaan Brand, Product Manager at Google. "Today's announcement of FIDO2 certification for Android helps move this initiative forward, giving our partners and developers a standardized way to access secure keystores across devices, both in market already as well as forthcoming models, in order to build convenient biometric controls for users."
While a number of browsers including Google Chrome, Microsoft Edge, and Mozilla Firefox — with Apple's Safari browser included as a preview and a potential future rollout — already support the system, the shift to a mobile ecosystem which caters to users in the billions represents what could be a radical change for what we consider basic online security.
With so many of us still using terribly easy-to-crack passwords and automated hacking tools making brute-force attacks a breeze, passwordless, strong authentication which relies on authenticity cues which may be far more difficult to break can only be of benefit to online users. It simply remains to be seen how many developers adopt the standard.
- Cheat sheet: How to become a cybersecurity pro (TechRepublic)
- Phishing attacks: A guide for IT pros (TechRepublic download)
- Information security policy template download (Tech Pro Research)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- The best password managers of 2018 (CNET)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)