Android Developers Blog
The latest Android and Google Play news for app and game developers.
🔍
Android Developers
Jetpack Kotlin Docs News
Platform Android Studio Google Play Jetpack Kotlin Docs News
Android Developers on YouTube Android Developers on LinkedIn Android Developers on Medium Follow Android Developers on X
Google Play Site Google Play Apps & Games on LinkedIn Google Play Apps & Games on Medium Follow GooglePlayBiz on X
Platform Android Studio Google Play Jetpack Kotlin Docs News More
Android Developers on YouTube Android Developers on LinkedIn Android Developers on Medium Follow Android Developers on X
|
Google Play Site Google Play Apps & Games on LinkedIn Google Play Apps & Games on Medium Follow GooglePlayBiz on X

24 September 2024

Attestation format change for the Android FIDO2 API

Share on LinkedIn Share on X Share on Facebook Share in mail Copy link
Link copied to clipboard
Posted by Christiaan Brand – Group Product Manager

In 2019 we introduced a FIDO2 API, adopted by many leading developers, which allows users to generate an attested, device-bound FIDO2 credential on Android devices.

Since this launch, Android has generated an attestation statement based on the SafetyNet API. As the underlying SafetyNet API is being deprecated, the FIDO2 API must move to a new attestation scheme based on hardware-backed key attestation. This change will require action from developers using the FIDO2 API to ensure a smooth transition.

The FIDO2 API is closely related to, but distinct from, the passkeys API and is invoked by setting the residentKey parameter to discouraged. While our goal is over time to migrate developers to the passkey API, we understand that not all developers who are currently using the FIDO2 API are ready for that move and we continue working on ways to converge these two APIs.

We will update the FIDO2 API on Android to produce attestation statements based on hardware-backed key attestation. As of November 2024, developers can opt in to this attestation scheme with controls for individual requests. This should be useful for testing and incremental rollouts, while also allowing developers full control over the timing of the switch over the next 6 months.

We will begin returning hardware-backed key attestation by default for all developers in early April 2025. From that point, SafetyNet certificates will no longer be granted. It is important to implement support for the new attestation statement, or move to the passkey API before the cutover date, otherwise your applications might not be able to parse the new attestation statements.

For web apps, requesting hardware-backed key attestation requires Chrome 130 or higher to enroll in the WebAuthn attestationFormats origin trial. (Learn more about origin trials.) Once these conditions are met, you can specify the attestationFormats parameter in your navigator.credentials.create call with the value ["android-key"].

If you're using the FIDO2 Play Services API in an Android app, switching to hardware-backed key attestation requires Play Services version 22.0.0 on the device. Developers can then specify android-key as the attestation format in the PublicKeyCredentialCreationOptions. You must update your Play Services dependencies to see this new option.

We will continue to evolve FIDO APIs. Please continue to provide feedback using fido-dev@fidoalliance.org to connect with the team and developer community.

Authentication credential manager FIDO2 Identity passkeys

Google developers blog

Google Developers Blog

Connect

Android Developers
Android Developers on YouTube Android Developers on LinkedIn Android Developers on Medium Follow Android Developers on X
Google Play Site Google Play
Google Play Apps & Games on LinkedIn Google Play Apps & Games on Medium Follow GooglePlayBiz on X

Subscribe