Android Receives FIDO2 Certification to Usher in a World Without Passwords

cageymaru

Fully [H]
Joined
Apr 10, 2003
Messages
22,061
The FIDO Alliance has announced that compatible devices running Android 7.0+ are now FIDO2 certified. FIDO2 certification allows these devices to have simpler, stronger authentication capabilities as users can utilize the device's built-in fingerprint sensor and/or FIDO security keys for secure passwordless access to websites and native applications that support the FIDO2 protocols. Web and app developers can enable support for FIDO with a simple API call. Web browsers such as Google Chrome, Mozilla Firefox and Microsoft Edge already support the standard, while Apple Safari has preview support. FIDO2 is comprised of the World Wide Web Consortium's (W3C) Web Authentication specification and the corresponding Client to Authenticator Protocol (CTAP) from FIDO Alliance. "Collectively, these standards enable users to more easily and securely login to online services with FIDO2-compliant devices such as fingerprint readers, cameras and/or FIDO security keys."

"Google has long worked with the FIDO Alliance and W3C to standardize FIDO2 protocols, which give any application the ability to move beyond password authentication while offering protection against phishing attacks. Today's announcement of FIDO2 certification for Android helps move this initiative forward, giving our partners and developers a standardized way to access secure keystores across devices, both in market already as well as forthcoming models, in order to build convenient biometric controls for users," said Christiaan Brand, Product Manager, Google.
 
As long as this doesn't force either face or finger unlocking, because I will never enable either of those functions due to both security risks and their lack of legal protections when compared to passwords.

I will have to read more about the FIDO security keys and how that authentication process works / is secured.
 
As long as this doesn't force either face or finger unlocking, because I will never enable either of those functions due to both security risks and their lack of legal protections when compared to passwords.

I will have to read more about the FIDO security keys and how that authentication process works / is secured.


A balancing act isn't it?

By more secure against hackers and risk the government forcing you to unlock your phone, or protect yourself against the government by sticking with passwords and get raped by hackers ........ I suppose you have to put your fears aside and do an honest risk profile.

Where do you stand the most to lose? (don't answer this, it's your business not mine :ROFLMAO:)
 
Last edited:
As long as this doesn't force either face or finger unlocking, because I will never enable either of those functions due to both security risks and their lack of legal protections when compared to passwords.

I will have to read more about the FIDO security keys and how that authentication process works / is secured.

It's for 2-Factor Authentication, so there will still be a password or some other authentication mechanism. I currently have a Yubikey and one of Google's Titan keys, they're both fine. I'd still rather use my phone for a second unlock with the same tokenized protections (ie, not SMS) just because I always have it on me.
 
It's for 2-Factor Authentication, so there will still be a password or some other authentication mechanism. I currently have a Yubikey and one of Google's Titan keys, they're both fine. I'd still rather use my phone for a second unlock with the same tokenized protections (ie, not SMS) just because I always have it on me.


Not me, see I can't have my phone with me where I work. Other people have the same problem, so while the world wants to run headlong towards using a phone as two-factor auth, it's actually impractical for many people. Besides, it's not really two-factor auth anyway.

But don't tell anyone, they'll take offense.
 
I certainly wasn't trying to imply that the other methods of implementing this should go away, just that it's convenient for me personally to have this as an option. Also, I'm curious about your statement that this wouldn't constitute 2FA. What are you basing that on?
 
I certainly wasn't trying to imply that the other methods of implementing this should go away, just that it's convenient for me personally to have this as an option. Also, I'm curious about your statement that this wouldn't constitute 2FA. What are you basing that on?

It is a method of confirming users' claimed identities by using a combination of two different factors: 1) something they know, 2) something they have, or 3) something they are.

I'll shorten this to Know, Have, and Are. The first factor commonly still in use is "know", or your password. They are using your phone to send you a code and calling this "have" but it is technically just something you "know", again. Neither is it something you "are".

By relying on two forms of the same thing, you leave yourself open to the fact that what you know could still be compromised in the same manner, ie..... if your phone is no longer secure, then attackers could gain access to both the password and the code even if you did just get that SMS message. They just have to be quicker than you are to put it into use and they are in. What's more, they can use it against you as well. I'm your bank, please log in and we'll send you a code ... to our fake site.

Something you have is supposed to be along the lines of a Smart Card Certificate token. You put it into a reader and the reader pulls the token and this is the second form which is not just another version of something you "know".

Is it better than just a password, yes it is. And does it work well for many people, yes, it's still better than just a password even given it's limitations. But it is not truly two factor authentication.
 
It's for 2-Factor Authentication, so there will still be a password or some other authentication mechanism. I currently have a Yubikey and one of Google's Titan keys, they're both fine. I'd still rather use my phone for a second unlock with the same tokenized protections (ie, not SMS) just because I always have it on me.

According to the article, this has nothing to do with 2FA.....:
"This gives users the ability to leverage their device’s built-in fingerprint sensor and/or FIDO security keys for secure passwordless access to websites"


It is a method of confirming users' claimed identities by using a combination of two different factors: 1) something they know, 2) something they have, or 3) something they are.

I'll shorten this to Know, Have, and Are. The first factor commonly still in use is "know", or your password. They are using your phone to send you a code and calling this "have" but it is technically just something you "know", again. Neither is it something you "are".

By relying on two forms of the same thing, you leave yourself open to the fact that what you know could still be compromised in the same manner, ie..... if your phone is no longer secure, then attackers could gain access to both the password and the code even if you did just get that SMS message. They just have to be quicker than you are to put it into use and they are in. What's more, they can use it against you as well. I'm your bank, please log in and we'll send you a code ... to our fake site.

Something you have is supposed to be along the lines of a Smart Card Certificate token. You put it into a reader and the reader pulls the token and this is the second form which is not just another version of something you "know".

Is it better than just a password, yes it is. And does it work well for many people, yes, it's still better than just a password even given it's limitations. But it is not truly two factor authentication.


Why is 2fa being brought up? The article has no references to 2fa, and explicitly states this is to give passwordless access to sites, not an extra factor of authentication.
 
Not me, see I can't have my phone with me where I work. Other people have the same problem, so while the world wants to run headlong towards using a phone as two-factor auth, it's actually impractical for many people. Besides, it's not really two-factor auth anyway.

But don't tell anyone, they'll take offense.
how is a phone authenticator not really 2FA?

Edit: Meaning Google Authenticator or similar app, NOT text authentication
 
how is a phone authenticator not really 2FA?

Edit: Meaning Google Authenticator or similar app, NOT text authentication

I'm guessing he means SMS is not really 2FA since it is not secure at all, and has a BIG vulnerability that was all over the tech blogs recently.

Google auth using RFC 6238 TOTP is true 2FA, and similar to what those Yubi keys do.
 
Why is 2fa being brought up? The article has no references to 2fa, and explicitly states this is to give passwordless access to sites, not an extra factor of authentication.

2Fa is being brought up because someone brought it up. Paladin21 said that FIDO was being used as part of a 2Fa security scheme, and remarked about how he preferred using his phone to some other methods. I simply commented that the practice of sending auth codes via SMS wasn't truly 2Fa.
 
how is a phone authenticator not really 2FA?

Edit: Meaning Google Authenticator or similar app, NOT text authentication

Never used Google Authenticator or a similar app. Perhaps my made an uninformed assumption that he was talking about SMS text authentication codes.

I'll have to look into Google Authenticator to see what it's doing.
 
Something you have + something you are + something you know.

That's generally accepted as the best means to authenticate. Picking any less than 3 of those 3 options opens you up unnecessarily to someone who isn't you gaining access.

That means any marketing spiel professing to do away with the password is weak security.
 
Problem with face and finger prints. You can't change them like a password. Finger print probably more secure since they can't just take a picture of you and use it
 
I brought up 2FA because the certification was for FIDO(2). Current keys that support this are all for 2FA systems. While the article mentions passwordless transactions, the immediate effect is that you don't need a Yuibikey or whatever device you are currently using, you could use biometrics off your phone sensors. I also specifically mentioned that this is not SMS, and as far as I can tell from the puff piece requires a biometric input of some type. I don't believe that you could even get certified if they were just sending you a code or having you type in a PIN, FIDO requires tokenized access.
 
Problem with face and finger prints. You can't change them like a password. Finger print probably more secure since they can't just take a picture of you and use it

I'll use my fingerprint or iris when I can get it changed after a security breach, and not before.
 
I brought up 2FA because the certification was for FIDO(2). Current keys that support this are all for 2FA systems. While the article mentions passwordless transactions, the immediate effect is that you don't need a Yuibikey or whatever device you are currently using, you could use biometrics off your phone sensors. I also specifically mentioned that this is not SMS, and as far as I can tell from the puff piece requires a biometric input of some type. I don't believe that you could even get certified if they were just sending you a code or having you type in a PIN, FIDO requires tokenized access.

It's using your finger/face to unlock the token on your device with some kind of anti-fishing protection. There is nothing about 2fa in the article in regards to FIDO2.

Never used Google Authenticator or a similar app. Perhaps my made an uninformed assumption that he was talking about SMS text authentication codes.

I'll have to look into Google Authenticator to see what it's doing.

It's using RFC 6238 TOTP, which is true 2fa. That's my preferred method for second factor auth.

I dislike hardware devices as they tend to drift and eventually require to be resync'd. Your phone should keep it's time close enough to the server (assuming it's using time-sync), so it should never drift out of range.
 
Problem with face and finger prints. You can't change them like a password. Finger print probably more secure since they can't just take a picture of you and use it


Soldiers used to bring me their biometrics systems for updates and before I did the updates, I'd make sure that they didn't have "enrollment" data that had not processed and submitted to the database servers. Part of that process was checking each "new enrollment" to see if the person already existed in the database. It was common for new enrollments to give false matches on fingerprints alone, specially if not all of the finger prints were captured. So in short, prints are OK for being something different, but they sure aren't the best. An Iris is generally far superior to prints. but the software behind it all has to be good.
 
It's using your finger/face to unlock the token on your device with some kind of anti-fishing protection. There is nothing about 2fa in the article in regards to FIDO2.



It's using RFC 6238 TOTP, which is true 2fa. That's my preferred method for second factor auth.

I dislike hardware devices as they tend to drift and eventually require to be resync'd. Your phone should keep it's time close enough to the server (assuming it's using time-sync), so it should never drift out of range.


Just spent like 30 minutes hashing this out with the guys here at work. I must relent on this. I can't stand on the idea that if you have to type in the code, that it must be something you know. It can be, but it doesn't have to be.

So as sometimes happens, I must admit when I'm wrong and on this one, I mostly am.
 
I'm open to crypto authentication. I've used it on a couple of cases with my SSH servers, but most of the time I just keep passwords.

If I am going to use it I'll need it to be completely transparent, and for it to give me the means to set things up manually, and not rely on any kind of cloud storage.

I don't trust black boxes, and I don't trust anything that stores data on someone else's server.
 
I don't trust black boxes, and I don't trust anything that stores data on someone else's server.


This x100000000000000..... After working in it/security, you realize how little most companies spend time/money on it, until they are breached. Every day it's a new article about a misconfigured S3 bucket, or some kind of data dump of plain text passwords, etc. I trust myself, and if that fails then I know exactly who to blame.
 
This x100000000000000..... After working in it/security, you realize how little most companies spend time/money on it, until they are breached. Every day it's a new article about a misconfigured S3 bucket, or some kind of data dump of plain text passwords, etc. I trust myself, and if that fails then I know exactly who to blame.


No company like AWS wants to tell companies that along with saving all that money on IT overhead, they need to budget for some IA guys in order to make sure that they aren't going to get fucked in the process.

It just doesn't sell quite the same :sneaky:
 
No company like AWS wants to tell companies that along with saving all that money on IT overhead, they need to budget for some IA guys in order to make sure that they aren't going to get fucked in the process.

It just doesn't sell quite the same :sneaky:

Because of the 'cloud' buzzword that management throws around like that will solve all their problems. Funny thing is, running infrastructure in the cloud is ridiculously expensive, and still takes someone skilled to be able to set it up properly/securely. That's what I do at work. Create templates to deploy complex aws/azure infrastructure for multiple different applications. There's a reason devops is one of the higher paid tech jobs. I have to wear a LOT of hats and understand system administration, network administration, security etc. Not enough companies understand that need, and end up getting fucked like you said.
 
Because of the 'cloud' buzzword that management throws around like that will solve all their problems. Funny thing is, running infrastructure in the cloud is ridiculously expensive, and still takes someone skilled to be able to set it up properly/securely. That's what I do at work. Create templates to deploy complex aws/azure infrastructure for multiple different applications. There's a reason devops is one of the higher paid tech jobs. I have to wear a LOT of hats and understand system administration, network administration, security etc. Not enough companies understand that need, and end up getting fucked like you said.

Our boss who has every cert there is and no experience in the data center is pushing us toward HCI as hard as he can ........ boy is he going to fuck up.

I'm in a race, I want to collect all the retirement savings as I can before the government here can come up with the money to buy into his foolhardy machinations.

The customer doesn't need that shit, he just wants to sell them on it for his resume.
 
Back
Top