Android Is Helping Kill Passwords on a Billion Devices

The FIDO Alliance -- a consortium that develops open source authentication standards -- has been pushing to expand its secure login protocols to make seamless logins a reality for several years. Today, it has hit the jackpot: Google. From a report: On Monday, Google and the FIDO Alliance announced that Android has added certified support for the FIDO2 standard, meaning that the vast majority of devices running Android 7 or later will now be able to handle password-less logins in mobile browsers like Chrome. Android already offered secure FIDO login options for mobile apps, where you authenticate using a phone's fingerprint scanner or with a hardware dongle like a YubiKey. But FIDO2 support will make it possible to use these easy authentication steps for web services in a mobile browser instead of laboriously typing in your password every time you want to log in. Web developers can now design their sites to interact with Android's FIDO2 management infrastructure.

No mention of SQRL Login

[MCRocker]

I'm a little shocked to see an article on FIDO without even a mention of Steve Gibson's competing Secure Quick Reliable Login.

Although I'm not an expert on this, most reports I've heard is that SQRL, is what FIDO was trying to be.

One key feature of SQRL is that it only does one of Authentication and Authorization, so it can be used for anonymous login, which would be better for many purposes, such as blog comments where you only need to verify that some response belonged to the same author as some other so nobody could impersonate someone else. Though it looks like FIDO may also do this.

Re:Android is helping to spread pervasive tracking

[Oswald+McWeany]

Corrected headline - Android is helping to spread pervasive tracking.

User name and password is "something you know", and as such is not something that can be used without your explicit consent. Seamless login is "something you have", and since it is part of your phone, it doesn't require your explicit consent to be checked.

Yes, and I use a dozen different e-mail accounts to make it slightly harder for different companies on the web to know that I am the same person if they try and share data. I don't want the same account ID on every site I go to.

I want Amazon and Slashdot, for example, to not know I'm the same person if they share databases. Or my bank and Google, etc. I know there are other ways of tracking and I'm probably not fooling the big guys much- but I want to log in different places as "different people".

Re:Web developers

[AmiMoJo]

That's not how FIDO works. It uses public key crypto, so you secret never leaves the phone. In contrast with a password the secret (i.e. the password) has to be both transmitted to the server and stored in some fashion (hopefully one-way hashed with salt).

Of course Chrome also supports auto-fill for passwords, which you can use if for some reason you don't understand what FIDO is.