Today, the FIDO Alliance and World Wide Web Consortium (WC3) announced that the Android OS has received FIDO2 certification. This will enable Android users to use their fingerprint — rather than a password — to sign into websites and other services.
Developers will now be able to add password-less authentication to their web apps and sign-in pages, as well as their native Android apps following an automated Google Play Services update. Here's how to set everything up in Android.
While plenty of Android devices and apps have included fingerprint-based logins before, FIDO2 implementation is different, and its adoption on Android means we are likely inching closer to future where passwords are obsolete.
How to set up password-less web sign-ins on Android
Once FIDO2 support has rolled out to your device, you will only be able to use fingerprint ID to sign into websites that allow it—though more will likely begin implementing fingerprint sign-ins since roughly a billion new devices will soon support the feature. To use password-less sign-ins on these websites, you’ll need:
A device running at least Android 7.0 or higher.
The most recent Google Play Services update. These updates are usually done automatically, but you can double check by opening the app’s Google Play store page on your device to see if a new version is available.
Next, you will need to set up your fingerprint profile on your Android device if you haven’t already.
Once you have your fingerprint ID stored, you can now use your Android device’s fingerprint sensor to sign into websites and web-based apps when browsing in Chrome, Firefox, and Microsoft Edge (provided the website supports password-less authentication in the first place).
Is it secure?
Like any security measure, Fingerprint ID has risks, so doubling up with another method—password, pin number, face recognition, or riddle-peddling bridge troll—is best practice. However, the FIDO2 protocol is incredibly secure and adds an extra layer of protection by preventing users from using fingerprint-based web logins on unsecured web domains and websites with fishy (or phishy) URLs. FIDO2 can also keep you safe in the event of a security breach. Unlike a password system, which requires both the user and the app/service to know the password, FIDO2 only requires the user to input the correct authentication info.
Essentially, using your Android device’s fingerprint sensor will work in much the same way it works for unlocking your lock screen or signing into certain apps: your personal information and fingerprint profile data are stored locally on the device and never shared with the apps or websites you’re signing into. Instead, your device checks that the fingerprint matches the print ID or login key it has stored, then confirms with the app or website that everything is copacetic and signs you in (or locks you out, in the case that the information doesn’t match).
And just in case you need more reassurance that fingerprint authentication is safe, we have some tips for making your fingerprint data as secure as possible.