Deep Dive to "com.google.android.gms.fido.fido2"

406ea2cac59924cedae4629c3c6c84fb?s=47 Kengo Suzuki
February 07, 2019

Deep Dive to "com.google.android.gms.fido.fido2"

# English Description (Japanese below)
We are exhausted with passwords. Users are exhausted with passwords because of too many web-services. Operators are exhausted with passwords because of defense against password-related attacks like Phishing. We, as developers, are also exhausted because of poor UX in passwords.

In last DroidKaigi, I have presented “AuthN and AuthZ with Android”(認証と認可と君と) for the purpose of introducing FIDO UAF 1.1, the password-less authentication framework. Since the presentation, a lot of innovation has been made. For example, major browsers adopted, implemented, and released WebAuthN which will play important role in FIDO 2.0, which will be the new version of UAF 1.1.

Android hasn’t been left behind by the advancement in Authentication. In March 2018, FIDO2.0 package was released in Android API, and that is exactly what I am going to talk about. At the end of this session, the audience will understand what `com.google.android.gms.fido.fido2*` will do, how to use it with `BiometricPromptAPI`, and how it is related to WebAuthN.

## Outline
1. Reviewing FIDO UAF 1.1
2. Safetynet Attestation vs Key Attestation
3. com.google.android.gms.fido.fido2
4. fido2 with BiometricPrompt
5. fido2 with WebAuthN

# 日本語Description
去年のDroidKaigi2018「認証と認可と君と」ではそういった苦労から我々を開放するパスワードレス認証「FIDO UAF 1.1」とAndroid上での実装方法についてお話しました。それから早1年、次バージョンにあたるFIDO 2.0の一翼を担うWebAuthNが主ブラウザに実装され、更にChromeの最新Ver70ではAndroidの指紋認証との連携ができるようになりました。勿論、Android自体にも大きな動きがあり、2018年にはAndroidのAPIに新しくFIDO2.0用パッケージが登場しました。本セッションでは、com.google.android.gms.fido.fido2* についてBiometricPromptAPIなどのAndroid内のFIDO2関連のAPIと絡めつつ、実装方法をお話します。

## Outline
1. Reviewing FIDO UAF 1.1
2. Safetynet Attestation vs Key Attestation
3. com.google.android.gms.fido.fido2
4. fido2 with BiometricPrompt
5. fido2 with WebAuthN

Intended Audience

- anyone interested in Authentication
- anyone interested in FIDO
- whoever wants to understand the difference between FIDO in Android and WebAuthN

406ea2cac59924cedae4629c3c6c84fb?s=128

Kengo Suzuki

February 07, 2019
Tweet