On February 25th, Google introduced a new feature to Android that could have huge implications for our online security. The company announced that all Android devices running on version 7.0 and higher are now FIDO2 certified for password-free logins.
Overnight, millions of Android users worldwide suddenly found themselves with a security key in their pocket. That security key has the potential to one day make passwords, and all of their accompanying problems and vulnerabilities, a thing of the past.
Passwords as the Cornerstone of Cyber Security
Passwords are the main system that keeps our digital lives secure, but they’re increasingly not up to the task. Most people reuse and endless series of easy-to-guess-phrases and the underlying technology is also vulnerable to a wide range of attacks. All a hacker needs to do is convince you that their dodgy website or email is from your bank or other online service, and they can trick you into revealing your password (a so-called “phishing” attack) and gain entry to your account.
But that system could change under the FIDO2 standard. Rather than having to type in a string of characters (or, let’s face it, have a browser or password manager type it in for you), you authenticate through a security key or a biometric device like a fingerprint reader. Previously, the majority of these keys were USB sticks or Bluetooth dongles, but following Google’s announcement, your Android phone can perform the same authentication as a security key. The complex handshake between the security key and device means there’s nothing you need to remember and nothing useful that can be intercepted.
The standard has the potential to replace passwords entirely, and Google is actively working toward that future. “The world that we’d love to see is one where you don’t even have to do a traditional authentication with, say, a password,” Steven Soneff, a product manager at Google, tells The Verge. If you’re already signed in to your phone, then this could be used to “bootstrap” the next device that you want to sign in to your Google account, “and you never even had to deal with the username password for your Google account itself.”
Secure Future without Locks
With every modern Android device gaining FIDO2 certification, Dropbox’s complaint about the adoption levels of the standard looks like less of an issue. However, there’s still work to be done addressing its usability. For example, what happens if you lose your authentication device? This recovery mechanism is a tricky problem to solve, according to Soneff, and Google is looking at a number of ways of handling it. “The recovery mechanism is often the weakest link and where attackers will find their way in,” Soneff says, adding that this will be a key problem to solve in order to handle recovery at scale.
There’s also the iPhone problem. FIDO2 authentication has no hope of going mainstream unless Apple’s phones can be used as security keys alongside their Android counterparts. Yes, websites could technically ask iPhone users to use a separate hardware security key like a Yubico USB device, but Soneff thinks that the high barrier to entry of having to buy specialized hardware means that this kind of security key is unlikely to be used by anyone outside of enterprise users.
There is evidence that Apple is interested in moving beyond the password. The company already allows you to use your Apple Watch to log into your Mac, and there are rumors that this functionality might be set to expand in the future Apple clearly knows that passwords are flawed and is thinking about replacing them. But so far, it’s been content to do so within its own walled ecosystem rather than by embracing an industry-wide standard like FIDO2.