Posted by Christiaan Model – Group Product Supervisor
In 2019 we launched a FIDO2 API, adopted by many main builders, which permits customers to generate an attested, device-bound FIDO2 credential on Android units.
Since this launch, Android has generated an attestation assertion based mostly on the SafetyNet API. Because the underlying SafetyNet API is being deprecated, the FIDO2 API should transfer to a brand new attestation scheme based mostly on hardware-backed key attestation. This transformation would require motion from builders utilizing the FIDO2 API to make sure a clean transition.
The FIDO2 API is carefully associated to, however distinct from, the passkeys API and is invoked by setting the residentKey parameter to discouraged. Whereas our aim is over time to migrate builders to the passkey API, we perceive that not all builders who’re at the moment utilizing the FIDO2 API are prepared for that transfer and we proceed engaged on methods to converge these two APIs.
We are going to replace the FIDO2 API on Android to provide attestation statements based mostly on hardware-backed key attestation. As of November 2024, builders can decide in to this attestation scheme with controls for particular person requests. This ought to be helpful for testing and incremental rollouts, whereas additionally permitting builders full management over the timing of the swap over the subsequent 6 months.
We are going to start returning hardware-backed key attestation by default for all builders in early April 2025. From that time, SafetyNet certificates will not be granted. It is very important implement help for the brand new attestation assertion, or transfer to the passkey API earlier than the cutover date, in any other case your functions won’t have the ability to parse the brand new attestation statements.
For internet apps, requesting hardware-backed key attestation requires Chrome 130 or larger to enroll within the WebAuthn attestationFormats origin trial. (Be taught extra about origin trials.) As soon as these circumstances are met, you’ll be able to specify the attestationFormats parameter in your navigator.credentials.create name with the worth [“android-key”].
In case you’re utilizing the FIDO2 Play Companies API in an Android app, switching to hardware-backed key attestation requires Play Companies model 22.0.0 on the system. Builders can then specify android-key because the attestation format within the PublicKeyCredentialCreationOptions. It’s essential to replace your Play Companies dependencies to see this new possibility.
We are going to proceed to evolve FIDO APIs. Please proceed to supply suggestions utilizing fido-dev@fidoalliance.org to attach with the workforce and developer neighborhood.