Skip to main content

How will Google's passwordless FIDO security work?

Password manager Android hero
(Image credit: Android Central)

How will Google's passwordless FIDO security work?

Best answer: Google has teamed with the FIDO (Fast ID Online) alliance and will support the latest security standards for logging in to almost any service without using a password. This will work using your Android phone security features, like the fingerprint sensor, as a way to authenticate who you are to the Chrome browser at first, but should expand to use any phone with any browser across all of Google's own services.

Your phone will be your password

Google FIDO authentication

(Image credit: Google)

To keep your accounts safe you absolutely should be using a good password, a good password manager, and two-factor authentication. None of us wants to see our online accounts hacked.

But even with those three things in place, hacks still happen. Managing your own security just isn't intuitive for everyone, and even people who know all the right things and do them can still get hacked. Google — as well as Apple and Microsoft — is teaming with the FIDO Alliance to make it even harder for someone to get into your accounts without your permission.

As part of a Google I/O announcement and detailed in a standalone blog post, Google explained what it sees as the future of personal web security. 

When you sign into a website or app on your phone, you will simply unlock your phone — your account won’t need a password anymore.

Google

This will work using two critical elements: Special hardware already inside most of the best Android phones — Google calls this the Titan module — and cryptography software that meets all the specifications to make it a FIDO credential.

When you set up your phone, a unique identifier will be created and stored in your phone's secure enclave. This identifier will be used with the FIDO standards to create a set of credentials that can be passed along to any device that's in communication with your phone, or any software that's running on that device.

FIDO2 specifications

(Image credit: FIDO Alliance)

 

No personal identifiers are supplied, and while every set of credentials is unique, everything is encrypted and so far has been proven secure. A backup of the credentials will be securely stored in the cloud so you can set up another device using them. You won't lose access if you lose your phone.

FIDO key support via your phone will make online security more accessible for everyone.

In plain English, this means that your phone will store a FIDO passkey. When you want to unlock any online account you just unlock your phone, and this passkey proves that you are really you. The key is only supplied when asked for, and you'll only need to unlock your phone the first time — after that, the experience is seamless as long as your phone is nearby.

The most difficult part of the equation is getting all of your devices to "talk" to each other the right way, at the right time. Google plans to start things using Android devices and Chrome OS or the Chrome browser, but with Apple and Microsoft also on board, this should eventually work with your Mac or Windows computer and an iPhone, or any mix of them all.

A project like this seems ambitious, and for many a little sketchy: Who wants one company to control access to accounts at another company? However, most experts agree that this is not only a more secure system, but its ease of use means it's also more accessible. We'll know more once Google starts rolling things out later in 2022.

Jerry Hildenbrand
Jerry Hildenbrand

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.