Android Protected Confirmation and FIDO

In a previous post, we talked about how Android and iOS have made enormous progress in mobile platform security in response to increasingly sophisticated threats. Nok Nok Labs (Nok Nok) is also focused on helping the industry as a whole defend against threats, which is why we provide a path to mitigating those threats by marshaling four important security elements: biometrics, FIDO (Fast Identity Online) protocols, hardware-based keys, and secure display.

The last element, secure display, was given the nod in a recent SecurityWeek post that affirms just how prescient the FIDO Alliance was when it added secure display to the FIDO (Fast Identity Online) standard. The article discusses a new security API rolled out with Android 9 (“Pie”) called Android Protected Confirmation. At Google I/O 2018, the “What’s New in Android Security” session showcased Nok Nok as a partner that leverages Android Protected Confirmation.

The feature provides safeguards against account takeover by prompting the user for confirmation during certain transactions deemed important enough to warrant special care. In such scenarios, a protected security environment displays the confirmation message to the user in such a way as to guarantee that the message hasn’t been corrupted by malicious software.

To use Android Protected Confirmation, an app generates a key in the hardware-protected Android Keystore. The app transmits an attestation certificate that certifies that the key can only be used to sign Protected Confirmations. Later when a user confirms a transaction prompt by double pressing the power button, a signed assertion is generated to provide a "what-you-see-is-what-you-sign" interaction. The added confidence of Protected Confirmation can serve to boost security in various use cases, such as person-to-person money transfers, authentication, and medical device control.

Rewind to a few years ago, when Nok Nok worked with Trusted Execution Environment (TEE) vendors to develop a proof-of-concept showcasing exactly this concept. The notion of a tamper-proof transaction display is built in to FIDO, which can completely shut down the possibility of a user being phished to divulge their credentials.

Protected Confirmation is currently implemented only on the Google Pixel 3, although other device vendors may follow suit. However, the FIDO standard, which is supported across all operating systems and mobile devices, encapsulates this protected confirmation functionality (dubbed “Transactions” in FIDO parlance).

Though welcome and necessary, rapid changes in platform security features make it a challenge for app developers to keep up. Using FIDO authentication is one way to deal with this rapid change; by leveraging the latest security features, app developers can get back to developing the non-security features of their core product. Additionally, with FIDO you don't need to change your app or backend infrastructure to take advantage of the mix of security capabilities available now and in the future.