Background

On the 25th of February 2019, the FIDO Alliance announced that any device running Android 7.0+ is now FIDO2 Certified out of the box.

The FIDO2 APIs for android were updated December 2018 but I could not find any examples showing how to use it. There is a sample project for Fido U2F and a one liner that says: “The FIDO2 API can be integrated into your Android app in a similar fashion”, but it is not that easy.

I have created a small app that demos how to use these APIs with local hard coded options. In reality these options would come from a FIDO2 server. There are a few websites where you can play with FIDO2 on your desktop and mobile browser already, such as webauthn.io.

The Code

To get started on Android you need to include the play-services-fido library as a dependency.

implementation 'com.google.android.gms:play-services-fido:17.0.0'

You will then need to create PublicKeyCredentialCreationOptions. For the API demo the specific values you set here do not matter too much, and in practice you will just set whatever you receive from your server. I used these values:

The biggest stumbling block here is the PublicKeyCredentialRpEntity ID. I will go into more detail about this at the end of this post when I discuss the Relying Party ID.

Next you will need to get a FIDO2 pending intent for registration with these options and launch it.

This will give the UI over to play-services-fido.