Posted by Christiaan Model – Group Product Supervisor
In 2019 we launched a FIDO2 API, adopted by many main builders, which permits customers to generate an attested, device-bound FIDO2 credential on Android gadgets.
Since this launch, Android has generated an attestation assertion primarily based on the SafetyNet API. Because the underlying SafetyNet API is being deprecated, the FIDO2 API should transfer to a brand new attestation scheme primarily based on hardware-backed key attestation. This variation would require motion from builders utilizing the FIDO2 API to make sure a clean transition.
The FIDO2 API is carefully associated to, however distinct from, the passkeys API and is invoked by setting the residentKey parameter to discouraged. Whereas our aim is over time to migrate builders to the passkey API, we perceive that not all builders who’re at the moment utilizing the FIDO2 API are prepared for that transfer and we proceed engaged on methods to converge these two APIs.
We’ll replace the FIDO2 API on Android to supply attestation statements primarily based on hardware-backed key attestation. As of November 2024, builders can decide in to this attestation scheme with controls for particular person requests. This must be helpful for testing and incremental rollouts, whereas additionally permitting builders full management over the timing of the swap over the following 6 months.
We’ll start returning hardware-backed key attestation by default for all builders in early April 2025. From that time, SafetyNet certificates will now not be granted. You will need to implement assist for the brand new attestation assertion, or transfer to the passkey API earlier than the cutover date, in any other case your functions may not be capable of parse the brand new attestation statements.
For internet apps, requesting hardware-backed key attestation requires Chrome 130 or greater to enroll within the WebAuthn attestationFormats origin trial. (Be taught extra about origin trials.) As soon as these situations are met, you may specify the attestationFormats parameter in your navigator.credentials.create name with the worth [“android-key”].
When you’re utilizing the FIDO2 Play Providers API in an Android app, switching to hardware-backed key attestation requires Play Providers model 22.0.0 on the gadget. Builders can then specify android-key because the attestation format within the PublicKeyCredentialCreationOptions. You could replace your Play Providers dependencies to see this new possibility.
We’ll proceed to evolve FIDO APIs. Please proceed to offer suggestions utilizing fido-dev@fidoalliance.org to attach with the staff and developer group.