HomeAndroidBringing seamless authentication to your apps with passkeys utilizing Credential Supervisor API...

Bringing seamless authentication to your apps with passkeys utilizing Credential Supervisor API | by Niharika Arora | Android Builders | Mar, 2023


Conventional authentication options pose a variety of safety and value challenges. The Credential Supervisor API helps you and your customers overcome these challenges.

Passwords are broadly used however…

Android has created the Credential Supervisor API to simplify the sign-in expertise and handle safety dangers by supporting passkeys, the following technology trade normal for passwordless authentication.

Credential Supervisor brings collectively assist for passkeys and combines it with conventional authentication strategies comparable to passwords, Sign up with Google and so forth.

When interacting with apps that assist passkeys, utilizing the Credential Supervisor API, customers can create passkeys and retailer them within the Google Password Supervisor. The Google Password Supervisor then syncs these passkeys throughout all of the Android units the place that consumer has signed in. Customers also can use passkeys to authenticate in a seamless and safe method. Along with supporting passkeys, Credential Supervisor additionally helps current sign up strategies, comparable to user-id/password (from Google Password Supervisor) and Google Signal In.

This weblog explains create a passkey utilizing the Credential Supervisor API, and authenticate the consumer by way of the API .

Customers can safe entry to their gadget by way of biometrics or a normal display lock credential (PIN, sample or password).

Within the context of passkeys, biometric authentication can be utilized along with — or as a substitute of — conventional authentication strategies comparable to passwords or PINs. When utilizing biometric authentication, the consumer supplies their biometric knowledge, which is then in comparison with the saved biometric knowledge on gadget to verify the consumer’s identification.

Utilizing biometric authentication can present the next stage of safety than conventional authentication strategies, as it’s rather more tough for an unauthorized consumer to mimic somebody’s distinctive biometric traits. Biometric data and processing continues to remain on the gadget and is rarely despatched to any distant server — the server solely sees an assurance that the biometric examine was profitable.

Step one to allow assist for passkeys in your Android app is to affiliate your app and the web site.

To realize this, declare associations by internet hosting a Digital Asset Hyperlinks JSON file in your web site, and add a hyperlink to the Digital Asset Hyperlink file to your app’s manifest.

The Digital Asset Hyperlinks protocol and API allow an app or web site to make public, verifiable statements about different apps or web sites. For instance, an internet site can declare that it’s related to a particular Android app, or it could possibly declare that it needs to share consumer credentials with one other web site.

To know extra on affiliate your app with an internet site, please examine our official documentation.

The 4 elements of the passkey registration circulation are:

It’s worthwhile to create a passkey, affiliate it with a consumer’s account, and retailer the passkey’s public key in your server earlier than the consumer can sign up with it.

Diagram illustrating the creation of a passkey, showing the moving of information from the backend into the createCredential(…) method

Create a passkey

To create a passkey:

Be aware : The best UX can be that the passkey creation is recommended after the consumer indicators in, with out the necessity to go to settings and have the consumer manually search for the ‘create a passkey’ button.

Affiliate a passkey with a consumer’s account

That is the data returned from the backend:

2. Now name createCredential(<information returned from the backend>) request, which is a suspendable perform and waits for the consumer to consent to your app’s use of a passkey, in addition to which credential supplier, and account it must be saved with.

Be aware : It’s worthwhile to initialize a CredentialManager object earlier than calling createCredential() technique:

Subsequent, create a passkey :

Be aware: Even with the identical parameter object, the above name creates a brand new credential each time it’s referred to as. Use the exclude checklist to stop registering the identical authenticator twice. See excludeCredentials above

The system shows this UI close to the underside of the display.

3. A passkey is created after receiving the consumer’s consent utilizing the gadget’s display lock/biometrics. The credential supplier creates a brand new uneven key pair and securely shops the personal key on the gadget.

4. After the suspendable name is resolved, a public key credential containing a brand new public key, a credential ID, and different attestation knowledge is returned to your app.

Retailer the passkey’s public key in your server

Your app ought to now ship the general public key credential to the backend. The backend shops the credential ID and the general public key related to the consumer account for future authentications.

The general public key credential object accommodates the next properties:

After the credentials get registered on the server efficiently, the consumer can use the passkey the following time they sign up to your app.

Save the credential information in your app for future use

You’ll be able to then retailer the data retrieved from the credential to the on-device database for future use. The next checklist consists of some typical properties to save lots of:

To authenticate a consumer with a previously-created passkey, observe the steps on this part. The API and elements for use are the identical as used while you create a passkey (described above). Solely the workflow differs:

Diagram illustrating the authentication  of a passkey

5. Construct the sign-in request, utilizing the choices retrieved from the earlier step:

6. Now, name credentialManager.getCredential(…) . The api validates the rp.id in opposition to the origin, and hashes the clientData.

7. The credential supplier finds a credential that matches the Relying Occasion ID and prompts the consumer to consent to the authentication. As soon as the consumer selects a passkey to authenticate and the steps are profitable, the credential supplier creates a brand new assertion by signing over the clientDataHash and authenticatorData with the personal key generated for this account throughout registration.

8. The authenticator returns the authenticatorData and assertion signature again to the consumer.

9. The credential supervisor APIs return a PublicKeyCredential object that accommodates the AuthenticatorAssertionResponse, which is returned to the RP to finalize the authentication.

Ship the returned public key credential to your app server #

response.authenticatorData: An ArrayBuffer of authenticator knowledge. This discipline accommodates data such because the RP ID. The authenticator knowledge construction is a byte array of 37 bytes or extra.

response.signature: An ArrayBuffer of the signature. This worth is the core of the credential and must be verified on the server. That is the signature generated by the personal key related to this credential. On the server, the general public key will probably be used to confirm that this signature is legitimate.

response.userHandle: An ArrayBuffer that contained the consumer ID that was set at creation time. This worth can be utilized, as a substitute of the credential ID, if the server wants to choose the ID values that it makes use of, or if the backend needs to keep away from creating an index on credential IDs. This discipline represents the consumer.id that was equipped throughout registration. It may be used to narrate this assertion to the consumer on the server.

authenticatorAttachment: Returns platform when this credential got here from the native gadget. In any other case cross-platform, notably when the consumer used a cellphone to sign up. If the consumer wants to make use of a cellphone to sign-in, think about prompting them to create a passkey on the native gadget.

sort: This discipline is at all times set to “public-key”.

Validate the Authentication knowledge

Help for Third-party password managers is obtainable on units that run Android 14 or larger.

Now let’s take a second to summarize what we mentioned on this weblog at the moment!

Listed below are the important thing takeaways for builders:

To know extra about how the API and strategies work, you’ll be able to learn by our documentation right here: https://developer.android.com/coaching/sign-in/passkeys

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Recent Comments