Posted by Christiaan Model – Group Product Supervisor
In 2019 we introduced a FIDO2 API, adopted by many main builders, which permits customers to generate an attested, device-bound FIDO2 credential on Android devices.
Since this launch, Android has generated an attestation assertion based mostly on the SafetyNet API. Because the underlying SafetyNet API is being deprecated, the FIDO2 API should transfer to a brand new attestation scheme based mostly on hardware-backed key attestation. This transformation would require motion from builders utilizing the FIDO2 API to make sure a clean transition.
The FIDO2 API is carefully associated to, however distinct from, the passkeys API and is invoked by setting the residentKey parameter to discouraged. Whereas our aim is over time to migrate developers to the passkey API, we perceive that not all builders who’re presently utilizing the FIDO2 API are prepared for that transfer and we proceed engaged on methods to converge these two APIs.
We’ll replace the FIDO2 API on Android to provide attestation statements based mostly on hardware-backed key attestation. As of November 2024, builders can choose in to this attestation scheme with controls for particular person requests. This ought to be helpful for testing and incremental rollouts, whereas additionally permitting builders full management over the timing of the change over the subsequent 6 months.
We’ll start returning hardware-backed key attestation by default for all builders in early April 2025. From that time, SafetyNet certificates will not be granted. It is very important implement assist for the brand new attestation assertion, or transfer to the passkey API earlier than the cutover date, in any other case your purposes won’t be capable to parse the brand new attestation statements.
For internet apps, requesting hardware-backed key attestation requires Chrome 130 or increased to enroll in the WebAuthn attestationFormats origin trial. (Learn more about origin trials.) As soon as these situations are met, you may specify the attestationFormats parameter in your navigator.credentials.create name with the worth [“android-key”].
If you happen to’re utilizing the FIDO2 Play Services API in an Android app, switching to hardware-backed key attestation requires Play Companies model 22.0.0 on the machine. Builders can then specify android-key because the attestation format within the PublicKeyCredentialCreationOptions. You could replace your Play Companies dependencies to see this new possibility.
We’ll proceed to evolve FIDO APIs. Please proceed to offer suggestions utilizing fido-dev@fidoalliance.org to attach with the staff and developer group.