Posted by Christiaan Model – Group Product Supervisor
In 2019 we launched a FIDO2 API, adopted by many main builders, which permits customers to generate an attested, device-bound FIDO2 credential on Android gadgets.
Since this launch, Android has generated an attestation assertion based mostly on the SafetyNet API. Because the underlying SafetyNet API is being deprecated, the FIDO2 API should transfer to a brand new attestation scheme based mostly on hardware-backed key attestation. This modification would require motion from builders utilizing the FIDO2 API to make sure a easy transition.
The FIDO2 API is carefully associated to, however distinct from, the passkeys API and is invoked by setting the residentKey parameter to discouraged. Whereas our objective is over time to migrate builders to the passkey API, we perceive that not all builders who’re presently utilizing the FIDO2 API are prepared for that transfer and we proceed engaged on methods to converge these two APIs.
We are going to replace the FIDO2 API on Android to provide attestation statements based mostly on hardware-backed key attestation. As of November 2024, builders can choose in to this attestation scheme with controls for particular person requests. This must be helpful for testing and incremental rollouts, whereas additionally permitting builders full management over the timing of the swap over the following 6 months.
We are going to start returning hardware-backed key attestation by default for all builders in early April 2025. From that time, SafetyNet certificates will now not be granted. It is very important implement help for the brand new attestation assertion, or transfer to the passkey API earlier than the cutover date, in any other case your functions may not be capable of parse the brand new attestation statements.
For net apps, requesting hardware-backed key attestation requires Chrome 130 or increased to enroll within the WebAuthn attestationFormats origin trial. (Be taught extra about origin trials.) As soon as these situations are met, you may specify the attestationFormats parameter in your navigator.credentials.create name with the worth [“android-key”].
Should you’re utilizing the FIDO2 Play Companies API in an Android app, switching to hardware-backed key attestation requires Play Companies model 22.0.0 on the machine. Builders can then specify android-key because the attestation format within the PublicKeyCredentialCreationOptions. You could replace your Play Companies dependencies to see this new choice.
We are going to proceed to evolve FIDO APIs. Please proceed to offer suggestions utilizing fido-dev@fidoalliance.org to attach with the workforce and developer neighborhood.