Co-written by Rew Islam and Guillaume Bouxin
In February, Google released the first developer preview for Android 14, an early look at the next version of Android slated for release later this year.
This developer preview contains Android changes that enable third-party applications to manage passkeys. Passkeys are phishing-resistant credentials based on FIDO standards and are the future of online authentication, designed as a more secure and user-friendly replacement for passwords.
Dashlane has been at the forefront of passkey support since passkeys were announced last year. In August, Dashlane introduced integrated passkey support in our security-first password manager and unveiled the first in-browser passkey solution. You can try our preview on the desktop Chrome browser using the Dashlane Chrome extension (this will work on any chromium-based browser).
What the Android 14 developer preview means for passkeys
So, what is interesting about this Android 14 Developer Preview? Until now, you could only synchronize your passkeys to platform vendor ecosystems such as iCloud Keychain on Apple platforms or the Google Password Manager on Android.
Tech companies like Apple, Google, and Microsoft have been working on passwordless authentication for years. Learn what they’re currently doing to support passkeys.
If you use a dedicated password manager, such as Dashlane, you’ll probably expect it to manage your passkeys for you, just as it does with your passwords. Unlike passwords, the mechanism passkeys use is more sophisticated under the hood, though this isn’t apparent in the user experience; passkeys are actually much simpler than passwords to create and use. This sophistication relies on the software you use on your device. In most cases, this will be your browser or your mobile operating system.
Mobile platforms such as Android and iOS will require changes to enable third-party applications such as Dashlane to manage passkeys. These are the very changes that have been included in this developer preview of Android 14. The user can simply create a passkey using their fingerprint instead of entering a password. The fingerprint ties the authentication action to the user of the device, which prevents anyone else from creating and using passkeys on this specific device.
Watch this quick demo video to see how to create a new account on an Android demo application.
Although the user interface of the bottom sheet (the component that slides up from the bottom of your screen to show additional content) is part of Android, the passkey is actually being created by Dashlane and stored in the user’s vault. When you’re signing in, the passkey stored in the Dashlane vault is being used to sign the challenge, which validates the authentication. All of this takes place without the user needing to do anything but touch their fingerprint sensor (or, alternatively, enter a device PIN).
This is the first Android iteration that enables password managers to manage passkeys, and we anticipate the public release later this year. Look out for websites adopting passkeys in the months and years to come. Once you start using passkeys, you won’t want to return to passwords. Besides enabling you to skip typing in anything, passkeys are also far more secure than passwords, offering both phishing resistance and ease of use. Higher levels of security often come at the cost of usability, but as you can see in the demo video above, that’s not the case with passkeys.
How passkey support works at Dashlane
There are two flows that Dashlane needs to implement. The first is creating a passkey and saving it in the encrypted Dashlane vault. The second is to sign in with an existing passkey. Both implementations need to conform to the WebAuthn spec in order to work.
When creating a passkey, Dashlane will generate an asymmetric key pair, storing the private key securely in the user’s vault and returning the public key to the relying party (the website or application registering the passkey). When signing in with a passkey, the relying party will send a challenge that Dashlane will sign with the private key, sending the response back to authenticate the user.
A commonly used algorithm for WebAuthn is the ECDSA w/ SHA-256 algorithm to create the key pair and sign the challenge, but the relying party can request to use a different algorithm.
Generate an asymmetric keypair in the Kotlin programming language:
Sign a challenge with a private key in Kotlin:
With Android 14, Dashlane can use the Jetpack credentials library to communicate with an application that wants to use a passkey. It enables a third-party application to be invoked when there’s a request for a passkey to be created or used. Dashlane will have to be selected as an identity provider service in the device settings, similar to how autofill works on Android. Currently, this flow works only for native applications, and we expect support for websites to follow in subsequent developer previews.
If you are a developer looking to implement sign-in with passkeys on your native Android application, you can follow the steps described in this guide provided by Google.
When will this be available for Dashlane users?
Android passkey support for native applications comes with Android 14, which is planned for public release in August 2023. It will take a little more time for apps and websites to start adopting passkeys, but we expect this to accelerate once there is broad support for passkeys among the devices many people use every day.
