The FIDO2 API allows Android applications to create and use strong, attested public key- based credentials for the purpose of authenticating users. The API provides a WebAuthn Client implementation, which supports the use of BLE, NFC, and USB roaming authenticators (security keys) as well as a platform authenticator, which allows the user to authenticate using their fingerprint or screenlock.
Integration
The FIDO2 API entry point is the Fido2ApiClient.
The API supports two operations:
- Registration is done once per authenticator per account, when the user associates an authenticator with an account.
- Signing is done whenever the relying party wants to authenticate a user.
Both registration and signing require user interaction.
A sample application demonstrating API usage can be found at https://github.com/android/security-samples/tree/master/Fido.
Interoperability with your website
It is simple to allow users to seamlessly share credentials across your website and Android application. To do so, leverage the Digital Asset Links. You can declare associations by hosting a Digital Asset Links JSON file on your website, and adding a link to the Digital Asset Link file to your app's manifest.
For example, if you want to associate https://example.com with an Android app
com.example.android, here's 3 required steps:
Step 1. Host assetlinks.json at your domain
Create a JSON file like this and host it at https://example.com/.well-known/assetlinks.json.
[
{
"relation" : [
"delegate_permission/common.handle_all_urls",
"delegate_permission/common.get_login_creds"
],
"target" : {
"namespace" : "web",
"site" : "https://example.com"
}
},
{
"relation" : [
"delegate_permission/common.handle_all_urls",
"delegate_permission/common.get_login_creds"
],
"target" : {
"namespace" : "android_app",
"package_name" : "com.example.android",
"sha256_cert_fingerprints" : [
"DE:AD:BE:EF"
]
}
}
]
Make sure it's crawlable from Google and is served with HTTP header
Content-Type: application/json.
Step 2. Link to assetlinks.json in Android app
In your Android app, add the following line to the manifest file under <application>:
<meta-data android:name="asset_statements" android:resource="@string/asset_statements" />
Step 3. Add an asset_statements string resource to the strings.xml file
The asset_statements string is a JSON object that specifies the assetlinks.json
files to load. You must escape any apostrophes and quotation marks you use in
the string. For example:
<string name="asset_statements" translatable="false">
[{
\"include\": \"https://example.com/.well-known/assetlinks.json\"
}]
</string>
To learn more about associating your app and your website, read the SmartLock for Passwords on Android documentation.