Android

Local Authenticator

(create and use passkeys from the local device)

Supported
External Authenticator

(create and use passkeys from another device)

Planned

Overview

The platform authenticator in Android 9+ has the following capabilities:

  • creating and using passkeys that are backed up to Google Password Manager
  • using a passkey from the local Android device to sign into services on another device (such as a laptop or desktop), using FIDO Cross-Device Authentication

Android 14 adds the following capabilities:

Cross-Device Authentication

Android devices can be an authenticator for FIDO Cross-Device Authentication (CDA).

Android devices can be persistently linked to the browsers/platforms below:

  • Chrome OS
  • Windows 11 23H2
  • Chrome & Edge on Windows 11 <23H2
  • Chrome & Edge on Windows 10
  • Chrome on macOS
  • Edge on macOS
  • Chrome on Ubuntu
  • Edge on Ubuntu

macOS (Safari and native apps), iOS (global), and iPadOS (global) do not support persistent linking.

When an authenticator is not persistently linked, a QR code must be scanned on every use.

Platform Notes

User Verification Behavior

Users can configure a device PIN, pattern, and/or biometric (fingerprint or face) as their device screen lock. When a user interacts with a passkey on Android, one of these available screen unlock methods is used for user verification.

When biometrics are not configured or available, both passkey creation and authentication fall back to asking for the device PIN or pattern.

Chrome 120

  • When biometrics are not configured on Android, or not available on the device:
    • The behavior with both userVerification='required' and userVerification='preferred' are the same: it asks for the device PIN or pattern for both passkey creation and authentication. Since they fail locally if user verification fails, the server can always expect the UV flag to be true.
    • Calling PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable() returns true.
  • When a device PIN or pattern are not configured on Android:
    • The behavior with both userVerification='required' and userVerification='preferred' are the same:
      • It asks for an external security key on passkey creation. The UV flag the server receives depends on the result of user verification with the external security key.
      • It asks the user to set up a device PIN or pattern on passkey authentication. Since they fail locally before a PIN or a pattern is configured, the server does not receive a response.
    • Calling PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable() returns false.

Resources

Docs

Videos

Sample Code

Community Resources