“As of now, the FIDO2-standard authentication only works with passwords.google.com, with more standards to be added soon.”
Google is taking its first step towards doing away with long and complicated password-based logins for websites by adopting hardware-based passcode or biometric authentication. Not only would this make logins far more secure, but also reduce the level of complications in having to deal with long and unique passwords that are hard to remember. The latest move by the company has been detailed by Dongjing He and Christiaan Brand of Google, showing how biometric authentication can be used to login to certain accounts that are compatible with such standards.
He and Brand state on the blog post, “New security technologies are surpassing passwords in terms of both strength and convenience. With this in mind, we are happy to announce that you can verify your identity by using your fingerprint or screen lock instead of a password when visiting certain Google services. The feature is available today on Pixel devices and coming to all Android 7+ devices over the next few days.” The feature adopts the Fast Identity Online (FIDO) open alliance, and it is important to note that this step is designed not remove passwords in the entirety, but instead make logins more secure through hardware authentication.
As the blog post explains, “Google is using the FIDO2 capability on Android to register a platform-bound FIDO credential. We remember the credential for that specific Android device. Now, when the user visits a compatible service, such as passwords.google.com, we issue a WebAuthn “Get” call, passing in the credentialId that we got when creating the credential. The result is a valid FIDO2 signature.” Brand and He further adds, “An important benefit of using FIDO2 versus interacting with the native fingerprint APIs on Android is that these biometric capabilities are now, for the first time, available on the web, allowing the same credentials be used by both native apps and web services. This means that a user only has to register their fingerprint with a service once and then the fingerprint will work for both the native application and the web service.“
Part of the reason why this method is so secure is that it is hardware authenticated from a phone locally, and does not rely on keys stored across the internet. Companies such as Microsoft have also been moving towards such a model, but still, remain some distance away from shifting all of their services to hardware-based authentications. Brand and He have also disclosed how users can try out the new authentication steps for compatible sites, which you can access in a step-by-step guided process here.