A further push for passkeys: Android Credential Manager generally available from November 1st

A further push for passkeys: Android Credential Manager generally available from November 1st

Google will designate Credential Manager, an Android Jetpack API, generally available from November 1st.

Jetpack is a set of libraries for Android which are unbundled from platform APIs and use the androidx namespace, so they can be updated more often than the Android platform.

The big deal with Credential Manager is that it supports passkeys for devices running Android 9 (API level 28) or higher. Google’s Diego Zavala, product manager on the authentication team, insists that “Passkeys are the future of online authentication,” citing improved security and convenience versus traditional passwords. Apps that already use Credential Manager to support passkeys include Uber and Whatsapp.

Credential Manager also supports passwords and Google ID tokens, providing a consistent user interface for different sign-in methods. And it is possible for third-party credential providers such as 1Password to integrate with Credential Manager. 

Passkeys use public/private key cryptography. A public key for the user is stored on a website and the private key on a device. When signing in, an application retrieves a challenge from the server, which is newly generated for every login. The response to the challenge is signed using the user’s private key, which can be stored on the device where sign in is taking place, or on another device provided it is in close proximity (verified by a Bluetooth connection). Access to the private key is typically guarded by biometric authentication, or a PIN.

A developer guide to using passkeys with Credential Manager is here. There is also a guide to user interface patterns for authentication using Credential Manager, which advises developers to “make passkeys the default option over passwords” when creating a new account. However, it says to “offer users a fallback option if they dismiss the passkey creation screen.” The guide also suggests that when users need to reset a password, they are pointed towards creating a passkey instead.

Advantages cited for passkeys include no requirement for a password, faster sign-in, and resistance to attacks such as phishing or SIM hijack. Passkeys were developed by the FIDO (Fast Identity Online) alliance and the W3C WebAuthn working group.

Despite the security advantages of passkeys, there are concerns. One is the risk of users losing passkeys, for example because they are locked out of their Google or other account (Apple also has strong passkey support), who may then lose access to other accounts as well. A related risk is that moving between ecosystems (such as from Google to Apple or vice versa) becomes more difficult. Google’s passkey FAQ notes that “Support for moving passkeys directly from one platform provider to another is not available at this time.” A possible solution is to use a third-party provider.