The StrongKey Android Client Library is an open source, native Android library providing support for the FIDO2 protocol for native Android apps. It provides the following features:
- It is supported on Android 9 (API 28) “Pie” or greater
- It supports the Java programming language, and does not require the use of JavaScript or the WebView component to deliver FIDO capability. Note that it does not support the use of external Security Keys—only platform keys
- It uses the AndroidKeystore—taking advantage of the Trusted Execution Environment (TEE) or a Secure Element (SE), whichever is present—for key generation, storage and usage. It is always used as a user verifying platform authenticator (UVPA). Devices without the TEE or SE cannot install apps using the SACL
- It supports registration, authentication and transaction authorization using “dynamic linking”—a core requirement of the European Union’s Payment Services Directive 2 regulation for Strong Customer Authentication (SCA)
- Supports Android BiometricPrompt API for verifying users before enabling use of FIDO keys
- It has out-of-the-box integration with the open-source FIDO®Certified StrongKey FIDO Server (SKFS)—just add your mobile app to the flow
- It includes a sample e-Commerce web application—the Sample FIDO App for e-Commerce (SFAECO)—to demonstrate 4 basic functions:
- User enrollment
- FIDO registration
- FIDO authentication and
- User confirmation of business transactions with the user’s registered FIDO key
- The server side components of the SFAECO app are available as a Java Enterprise Edition (JEE) application to support the mobile sample app. This JEE application makes web service requests of the SKFS
- It includes a sample browser based web application—Back Office Application (BOA)—to work in concert with the SFAECO app to perform sample back-office business functions. But, the primary purpose is to demonstrate the use of FIDO for strong authentication and to review business transactions performed by app users, as well as see data collected by the app when performing transaction confirmation (TXC)
- It includes a second sample browser based web application—FIDO Key Management— to demonstrate the newly announced single sign-on (SSO) capability of the SKFS with JSON Web Token (JWT) using X.509 based JSON Web Signatures (JWS)
- These three web applications have been installed on a demo server on the internet (https://psd2demo.strongkey.com) against which the mobile app makes REST web service calls
SACL has been tested using Essential PH-1, Google Pixel 3a, and Google Pixel 4a phones—the first two running Android 9 (Pie) with API 28, and the Pixel 4a with Android R (API 30). The device must have a fingerprint enrolled to support the use of SACL. While it is likely to work on most Android devices with biometric capability, your mileage may vary.