The security industry, as organized by the FIDO (Fast IDentity Online) Alliance, has been working to replace passwords because of people’s tendency to use weak or reuse them. Two-factor authentication (2FA) has helped remedy this, but the future is “access keys”, with Android and Google provisioning support.
About APK Insights: In this “APK Insight” post, we have decompiled the latest version of an application that Google uploaded to the Play Store. When we decompile these files (called APKs when it comes to Android apps), we are able to see different lines of code within the hint about possible future features. Keep in mind that Google may provide these features and that our interpretation of what they are may be imperfect. We will try to activate those that are closer to completion, to show you what they will look like if shipped. With that in mind, read on.
If successful, logging in to a web service will no longer involve entering a password. This includes those that are filled in automatically, which are now common in the password administrators built into today’s browsers and operating systems. Rather, the FIDO approach utilizes cryptographic keys. Before a login takes place, end users simply unlock their device (password, fingerprint, face lock, etc.).
When registering with an online service, the user’s client device creates a new key pair. It retains the private key and registers the public key with the online service. Authentication is performed by the client unit proving possession of the private key to the service by signing a challenge.
FIDO Alliance
Instead of passwords, you will have “access keys” stored on your device and the operating system’s associated cloud synchronization service. In the case of Android, access keys – which is the name Apple will also use – are stored in your Google account as explained by new strings in the latest version of Google Play services (version 22.15.14).
Hello access keys, goodbye passwords
Passwords provide better protection than passwords u2013 and are securely stored in your Google Account.
Learn more
You still need to know your primary Google Account (or Apple ID) password, especially when switching to a new device, but this fully realized future means it’s the only one you really need to remember.
Just as password administrators do with passwords, the underlying OS platform will “synchronize” the cryptographic keys associated with a device-to-device FIDO credentials. This means that the security and availability of a user’s synchronized credentials depends on the security of the underlying OS platforms (Google, Apples, Microsoft, etc.) authentication mechanism for their online accounts and the security method for reinstating access when all (old )) units were lost.
FIDO March 2022 White Paper
Work is still in progress, where third-party adoption is a major requirement for all of this to work. The string today suggests that Google will make a pretty user-facing push-encouraging passkey adoption as seen by “Hello Passes, Goodbye Passwords” and the cover image above.
FTC: We use revenue-earning auto affiliate links. More.
Check out 9to5Google on YouTube for more news: