Google Ditches Passwords in Latest Android Devices | Threatpost | The first stop for security news

Half of all Android users can now log into apps and websites on their devices – without having to remember a cumbersome password.

On Monday, Google and the Fast IDentity Online (FIDO) Alliance announced that devices running Android 7 or later are certified by the FIDO2 standard, meaning that users can forego using passwords and instead use their fingerprint or a PIN to log into browsers or apps on their devices.

“Web and app developers can now add FIDO strong authentication to their Android apps and websites through a simple API call, to bring passwordless, phishing-resistant security to a rapidly expanding base of end users who already have leading Android devices and/or will upgrade to new devices in the future,” said the FIDO Alliance in a release from the Mobile World Congress conference this week in Barcelona, Spain.

The FIDO Alliance is an industry consortium launched in February 2013 to address the problems users face creating and remembering multiple usernames and passwords. Google has been part of the FIDO Alliance since 2013 – but only now has moved to offer FIDO2 support on its devices.

Support for FIDO’s standard certification, FIDO2, gives Android users the ability to now utilize their devices’ built-in fingerprint sensors – or, if the devices don’t have them, log in to apps and browsers using other means like a PIN or a swipe pattern.

While remembering long or cumbersome passwords may be a pain for users, Google opting out of passwords for Android devices has security implications as well. With an array of emerging attacks that rely on stolen credentials – including phishing, man-in-the-middle and other cyber-attacks – many apps and browsers are jumping on board when it comes to the notion of novice passwordless login methods like biometrics.

FIDO already supports browsers like Google Chrome, Microsoft Edge, and Mozilla Firefox (with preview support for Apple Safari). Many apps, particularly banking apps, also already enable login tactics that utilize fingerprint biometrics.

“Google has long worked with the FIDO Alliance and W3C to standardize FIDO2 protocols, which give any application the ability to move beyond password authentication while offering protection against phishing attacks,” said Christiaan Brand, product manager at Google, in a statement. “Today’s announcement of FIDO2 certification for Android helps move this initiative forward, giving our partners and developers a standardized way to access secure keystores across devices, both in market already as well as forthcoming models, in order to build convenient biometric controls for users.”

Right now, FIDO2 support is extended to devices that run Android 7 or later. According to Android’s Developer page, around 50 percent of users are on devices that are Android 7 or above – the remaining 50 percent of users must update to utilize the password-less feature.

Google has looked to step up the security for devices running on its Android platform – in February, the tech giant introduced a new storage encryption solution, Adiantum, that it hopes will expand security efforts to low-end devices that typically can’t support encryption.

Interested in learning more about mobile enterprise security threats and best practices? Don’t miss our free Threatpost webinar this Wednesday, Feb. 27 at 2 p.m. ET.

Patrick Hevesi of Gartner; Mike Burr of Google Android; and David Richardson from Lookout will join Threatpost senior editor Tara Seals.

They’ll discuss the top evolving threats and risks that are unique to this work-from-anywhere environment; best practices for addressing them; and new challenges on the horizon, such as 5G services.