What IT needs to know about FIDO2 iOS and Android standards

The FIDO2 standard can help organizations go passwordless, but IT should understand how exactly an application or website offers this possibility through the WebAuthn API.

With the FIDO2 standard, organizations can provide a more secure authentication process to their users for desktops, mobile devices, web browsers and other applications and services.

Organizations that adopt the Fast Identity Online 2 (FIDO2) standard will allow users to rely on passwordless authentication for most day-to-day interactions with accounts or increase the level of security with a second authentication factor.

With more vendors adopting the FIDO2 iOS and Android standards, IT professionals should understand what FIDO is and how its standard works on mobile devices.

What is FIDO?

In most cases, users need a password alongside their username for various accounts, but FIDO's standards remove the need to use a password in many day-to-day instances. Instead, these standards allow the use of stronger factors such as biometrics and hardware security keys.

The FIDO Alliance, an association comprised of vendors such as Nok Nok Labs, Microsoft and many others, developed the FIDO standard in 2014. FIDO2, the latest version, became generally available in 2018.

FIDO2 consists of two components: WebAuthn, which is the API, and Client to Authenticator Protocol (CTAP). The WebAuthn API enables browsers and applications to support FIDO, while CTAP allows for universal two-factor devices to interact with the browsers and apps.

Initially, FIDO provided the ability to employ multi-factor authentication, but with the CTAP2 component of FIDO2, organizations can now offer a passwordless experience to their users and connect with external authenticators and security keys, such as the Yubico YubiKey.

FIDO2 allows IT to use public cryptography -- both public and private keys -- over networks, but only send the public key to the authenticator server. The private key remains either on the mobile device or hardware key itself.

Using FIDO2 on iOS and Android mobile devices

While FIDO2 iOS and Android support both exist today, Android was first to certify support for FIDO2 in early 2019. Apple, however, took its time and didn't join the FIDO Alliance until February 2020. All the major mobile browsers -- Google Chrome, Apple Safari and Mozilla Firefox, etc. -- have FIDO2 support, with Safari the latest one to get it officially in late 2019.

The method to use and deploy the FIDO2 iOS and Android standards generally remains the same compared to the original FIDO standards. The devices use hardware security keys to authenticate apps and websites. This can happen either via USB, near-field communication (NFC) or Bluetooth Low Energy.

IT pros -- or users -- will have to set any accounts they wish to use this functionality with to either accept hardware keys as the default secondary authentication through desktops and laptops or as the only authentication method. However, not all apps and sites support FIDO2 iOS and Android standards as the only authentication method at the time this is published.

Google took things a step further and added in FIDO2 functionality on all devices running Android 7+, with the devices standing in as security keys themselves when users authenticate Google accounts.

Google took things a step further and added in FIDO2 functionality on all devices running Android 7+, with the devices standing in as security keys themselves when users authenticate Google accounts. This allows users to authenticate with biometrics instead of relying on a separate security key. Google also has its own hardware keys users can purchase, but they're just white-labeled Feitian keys.

Apple took its time to certify FIDO2 iOS support. In December 2019, iOS 13.3 added NFC functionality to the native Safari mobile browser. The vendor then joined the FIDO Alliance in February. Apple took so long that Yubico, a vendor that sells FIDO-backed security keys, stepped in and designed the YubiKey 5Ci, which features a Lightning connector to use with iPhones and a USB-C model for newer macOS laptops. Users don't have to use this specific YubiKey as of iOS 13.3, as security keys now also work with iOS through Bluetooth Low Energy and NFC.

FIDO2 works on both iOS and Android mobile devices, but IT pros or users will just need to enable the functionality on each app and website they wish to use it with. Many of the most popular mobile apps, such as Facebook and Gmail, built in the FIDO2 authentication function  long ago, but smaller developers may need more time to adopt FIDO2.

How organizations can get started?

Organizations interested in adding FIDO2 to their apps and webpages will need to do a few things. First, they must decide if they want to add FIDO for passwordless login or for MFA and make sure their apps or identity management system support authentication via FIDO. They must also update their login and registration pages. The FIDO Alliance provides an explainer on what vendors and their developers need to add FIDO2 support.

Dig Deeper on Mobile security

Unified Communications