Passkeys and identity best practices

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[MUSIC PLAYING] KATERYNA SEMENOVA: Hi, I'm Kateryna, a Developer Relations Engineer with Android. GINA BIERNACKI: And I'm Gina, a Product Manager with Google Identity. Today, we'll tell you about our latest authentication solutions for Android that are designed to help you simplify sign-up and sign-in for your apps. Then we'll share some holistic cross-platform identity best practices with you. Let's get started. Most people need to manage accounts across multiple apps, websites, devices and platforms. For developers, sign-up and sign-in flows are among the most critical user journey for your app. We know it's important for you to make these actions as seamless as possible while ensuring the highest bar for security. KATERYNA SEMENOVA: We understand the friction that your users can have with creating accounts, and we all know how difficult it can be to remember passwords. And don't even get me started on signing back into apps on a new phone. Problems such as account recovery, fraud, and duplicate account creation are also things that your users may have to deal with. In the Data Breach Investigation report by Verizon, they stated that social engineering attacks are often very effective and extremely profitable for cyber criminals. 74% of all breaches include human element, and 80% of breaches are linked to passwords. GINA BIERNACKI: And for all developers, managing identities can be extremely challenging as well. Getting correct and complete contact information from your users, verifying an email address, and preventing duplicate accounts, while ensuring a high bar for user privacy, are all significant challenges. Getting your users to create strong passwords and storing those passwords securely, guarding against new and future vulnerabilities, complying with regulatory requirements, and ensuring the sign-in flow doesn't get in the way of your user experience are just a few of the things you're probably thinking about. KATERYNA SEMENOVA: With all those things in mind, we'll share with you how Google can help you solve these problems with your apps in a way that will scale across platforms. These solutions will help you to move towards a future without passwords. First, I'll tell you about Android's Credential Manager API and the latest features and improvements we are making. I'll show how Credential Manager will help you provide a more convenient authentication experience for your users. After that, Gina will speak to broader solutions from Google that can help you build seamless cross-platform identity strategies. [MUSIC PLAYING] Credential Manager is the Jetpack library you should use to allow your users to sign out and sign in on Android. The Credential Manager API provides a simple user experience by consolidating passkeys, Sign-In with Google, and passwords in one single interface. To reduce complexity, the system automatically shows the most secure and relevant login option, and users always have a choice to select the sign-in method. Using multiple APIs to build different sign-in methods can be a real challenge. To simplify integration and ongoing maintenance, Credential Manager supports all of these authentication methods in a single Jetpack library. Credential Manager is generally supported on Android 4.4 and higher, and passkeys are supported on Android 8.9 and higher. One of the primary advantages of Credential Manager is its support for passkeys authentication. With passkeys-- users can sign in into apps and websites using the device screen lock. It could be a fingerprint, a facial recognition, a pin pattern, or another screen lock method. It's something users know and use repeatedly on their devices. This provides a faster and more convenient sign-in experience, freeing your users from having to remember usernames and passwords for each app. In addition, passkeys are more secure than passwords. They are based on public key cryptography, and they reduce the risk of phishing attacks and made it more difficult for accounts to be compromised or breached. Passkeys are built on WebAuthn standard and supported by all major phone platforms and operating systems. Passkeys are synchronized between users' devices via credential providers such as Google Password Manager. So even if they lose their device, they won't lose access to their credentials. The Credential Manager API is a preferred solution to implement Sign-In with Google in your Android apps. Sign-In with Google allows users to use the existing Google account to sign in or sign up seamlessly into your app. Credential Manager fully supports the familiar one-tab flow so users can sign up or sign in with just a single tab. And for helping this device migration, Sign-In with Google also supports auto sign-in for returning users. When is auto select allowed is set, users sign in automatically on a new device. Let's look at the feedback from apps that integrated Credential Manager and passkeys last year. Last year, Amazon integrated passkeys into its Android shopping app and corresponding website. Amazon shared that, "With passkeys, our customers are finding it easier to sign in, compared to passwords and codes." Dashlane is a password management tool that provides a secure way to manage user credentials. Dashlane sees 70% increase in conversion rate for signing in with passkeys, compared to passwords. TikTok has more than one billion users around the world. TikTok users log in 17 times faster with passkeys than with other methods. After adopting Credential Manager, TikTok, developers saw additional benefit when implementing Sign-In with Google, which significantly improved the overall login success rate. And let's look at another example. Kayak, one of the leading travel search engine, helps users to find best deals on flights, hotels, and rental cars. Last year, Kayak integrated passkeys into its Android and web apps. As a result, Kayak reduced the average time it takes the users to sign in by 50%, and also saw a decrease in support tickets. In addition to passkeys, Kayak offers users Sign-In with Google as the cross-platform solution for account creation and authentication. The majority of Kayak's users prefer Sign-In with Google due to its seamless and secure user flow. Many apps have already seen significant benefits after integrating the Credential Manager API. We are excited to bring even more capabilities to the Credential Manager this year. To simplify the passkeys user experience even further, we are enabling a single tab key sign-in by merging the Account Selector and the biometric prompt. This way, the user will just need to use their face, finger, or other screen lock and they will be logged in. This improvement will be automatically supported in new versions of Credential Manager on Android 15 and higher, requiring no additional work for developers. Users may accidentally dismiss Credential Manager account selector. To make sure that those users will be able to sign in with their passkey, Sign-In with Google, or passwords, Credential Manager options will be shown in autofill services. Your users will see the saved credentials in keyboard suggestions or when they are clicking on a relevant input field during sign-in. This feature will be available in Android 15. Now let's talk about authentication on a new device. We have mentioned before that Sign-In with Google supports Auto Sign-In for returning users. But how about passkeys? For passkeys, we are introducing a new Restore Credentials feature that will allow your users to automatically restore their signed in state for your app without needing to open the apps one by one. This feature will be available on phones and tablets via Credential Manager API later this year. So how will users experience this feature? On Android phone, when user signs into your app, the app creates a restore key via Credential Manager. If the user has cloud backup enabled, the encrypted restore key can be stored in the cloud. When the user purchases a new device and goes through the restore flow, apps and data are restored on the new device. Your app then requests restore key without any user interaction. The restore key is decrypted and used to automatically sign in on a new device. We are also happy to announce that Credential Manager is coming to Wear OS. With this integration, you can sign in using your passkeys, Sign-In with Google, and passwords right from your watch. And it also provides supports for third-party credential providers, such as Dashlane. You can start working with this feature in the various five quarterly platform release. In addition to passkeys, Sign-In with Google, and passwords, Credential Manager is expanding to support digital identities. Digital identities are a digitalized form of your physical identity documents, such as your driver's license, your passport, or your membership cards. These IDs are stored in digital wallet apps on your device. Credential Manager provides developers with an API that allows your users to share these IDs from their digital wallets with the apps that need them. Over the next few years, we are going to see tons of new ways to use this technology, including things like identity verification and account recovery. GINA BIERNACKI: Thanks, Kateryna, for the deep dive on our latest Android offerings. Building on the foundation of Credential Manager and passkeys, let's explore some of the best practices you can follow to implement a smooth and secure sign-up and sign-in strategy that works across all platforms, including Android, iOS, and the web. The first best practice is to reduce the reliance on passwords for a safer user experience. This can be achieved by replacing the usage of passwords with using passkeys and Sign-In with Google. Sign-In with Google provides the lowest friction, sign-up, and sign-in experience, but may not solve for all use cases where passwords are used, while implementing passkeys gives you a seamless sign-in without relying on passwords for all of your user accounts. And together, they increase convenience and security of sign-out and sign-in for your users. For friction-free account sign-up on all platforms, we recommend integrating with Sign-In with Google. Sign-In with Google works cross-platform on Android, iOS, and web so you can be sure your users can access your app regardless of device or service. You can meet your users wherever they are. Sign-In with Google extends the world-class security of your user's Google account to all of their online accounts and allows them to sign up or sign into your app with a single click on any platform. Users get safe One Tap access to services online using their Google account. And developers get trusted account attributes from Google, such as verified email address, to streamline account creation. This is done through clear user consent, upholding strong principles to respect user privacy. Let's take a look at results from a developer who has implemented Sign-In with Google. Indeed integrated Sign-In with Google and saw a dramatic increase in sign-in conversion. Today, over 50% of Indeed's users prefer to use Sign-In with Google over other types of authentication solutions, due to its seamless and secure user flow. Furthermore, Indeed is able to capture verified user information with user consent, which enhances the ability to engage and communicate directly with customers-- key attributes that are even more valuable given upcoming changes on the Chrome browser. Sign-In with Google and passkeys are two options that will help you move toward a safer and smoother authentication that doesn't rely on passwords. Second, ensure your team is thinking cross-platform for your user experience. Identity works most seamlessly when it is consistent for your users, regardless of their platforms of choice. As users increasingly move multi-device and cross platform, full support ensures that they don't need to remember and maintain additional passwords and factors. Across all the platforms you work with, we have Sign-In with Google SDKs to simplify the implementation for your development team. These SDKs include integrations with Android's Credential Manager API, the new Federated Credential Manager web API implemented by Chrome, and they provide a seamless experience on iOS. For passkeys, users who utilize Google Password Manager today can already sync their passkeys across Android devices, and will soon be able to sync across Apple, Windows, Chrome OS devices via Chrome. For developers with both apps and websites, you can reduce user friction by using the same passkey across surfaces. To do this, you should set up a relationship between domains and apps to allow for the use of passkeys and passwords across all your surfaces. For Android apps, we recommend using digital asset links, and for iOS apps, we recommend using associated domains. To learn more about implementing Sign-In with Google for your applications on all platforms, see the link in the description below. And if you haven't already, please ensure you implement and migrate to the latest Sign-In with Google SDK. on each platform. You'll be providing your users with the most effective offerings available wherever they use your app. Third, if you want additional security enhancements to your Sign-In with Google implementation, we recommend adding cross-account protection to your platform. With cross-account protection, Google can share critical security notifications about account changes, such as account disables and token revocations, with apps and service you've connected to your users' Google account. Cross-account protection is part of the OpenID, Shared Signals, and Events Framework. You can benefit from Google's huge investment in protecting account takeovers and receive updates to the security of your account to help keep your users safe online. Fourth, create user flows and user journeys that help with account management to reduce duplicate accounts for your users. Duplicate accounts are a problem for everyone. Our features are designed to prevent duplicate accounts by helping users quickly create a logged in session using an existing credential. By using Credential Manager on Android and FedCM on Chrome, the OS and browser will help users remember their last sign-in method and make it easier for users to return. For Sign-In with Google on Android, ensure that you are filtering for authorized accounts so that only previously linked accounts are shown to the user in Credential Manager. If no accounts are returned, you can make a second call without filtering to allow for easy sign-up. On the web, Sign-In with Google's personalized button, One Tap, and Auto Sign-In functionality will also help with sign-in method recall. On your backend platform, during account creation, you can use the unique Google account ID and email address within the ID token to check for existing accounts to avoid the creation of duplicate accounts. By using a combination of Sign-In with Google and passkeys, users can recover their account more easily, often without needing to enter a username, password, or click on a verification link. Fifth, reduce the complexity for your users to improve, sign-up and sign-in rates. According to feedback from partners, both passkeys and sign in with Google have been shown to improve, sign-up and sign-in flow completion rates. Use Sign-In with Google for sign-up and both Sign-In with Google and passkey for returning user sign-in. Features such as One Tap and Automatic Sign-In will help you improve your conversion rates. We recommend putting these features on both your main dialogue and leaf pages. This allows users to sign out and sign in in the context of your website without having to navigate away from their current journey. Platform APIs, such as Android Credential Manager and Chrome's FedCM, will further improve rates with seamless unified flows. Last, ensure your implementation meets your organization's current and upcoming compliance requirements. As global standards and requirements evolve, Google builds our developer offerings with global compliance in mind. Our goal is to help you operate globally with minimal disruption. For example, on Chrome, we now have a solution for seamless flows without third-party cookies with FedCM, API, all while minimizing disruption to developers. Additionally, with Sign-In with Google, you can customize your implementation for localization and accessibility needs. Millions of businesses, educational institutions, nonprofit organizations manage the Google accounts of their members. Through workspace policies, Sign-In with Google, can provide verified organizational data for an account, unlocking valuable use cases, such as Identity and Access management, community building, and subscription granting. For example, developers can use the domain to help users find their company's content or take advantage of a site license. KATERYNA SEMENOVA: And that's it. Our aim is to simplify the way developers interact with Android and Google Identity solutions, and help users seamlessly and securely access their accounts across Android apps and websites. Our goal is to provide features and tools that support the Android developer community in building more secure apps. GINA BIERNACKI: On android, implement Credential Manager for a unified user experience and improved sign-up and sign-in for your users. Implement passkeys instead of passwords for safer sign-in. Implement Sign-In with Google for streamlined sign-up and sign in on all platforms. KATERYNA SEMENOVA: We appreciate your time today. Check the video description to find more resources on how to improve sign-in and sign-up flows in your apps. Thank you. [MUSIC PLAYING]
Info
Channel: Android Developers
Views: 5,535
Rating: undefined out of 5
Keywords: Android, pr_pr: Google I/O;, ct:Event - Technical Session;, ct:Stack - Mobile;
Id: fgTOeLShcrY
Channel Id: undefined
Length: 19min 54sec (1194 seconds)
Published: Thu May 16 2024
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.