Using Android’s new Credential Manager API

This image shows of a mobile in which a lock has been depicted, it has yellow background.
Photo by Franck on Unsplash

Android’s new Credential Manager API provides a seamless way for your app’s users to log in to your apps with one-click solutions.

Credential Manager is a Jetpack API that supports multiple sign-in methods, such as username and password, passkeys, and federated sign-in solutions (such as Sign-in with Google) in a single API, thus simplifying the integration for developers.

Furthermore, for users, Credential Manager unifies the sign-in interface across authentication methods, making it clearer and easier for users to sign into apps, regardless of the method they choose.

Thus, by using the Credential Manager API, our app can-

  1. Save user’s credentials like- username and password when they first log in/register with our app.
  2. Secure the saved credentials with Google Password Manager (which syncs the saved credentials with the Google account selected by the user while saving).
  3. Offer one-click login to the registered users when they again come to sign in to our app either after a long while or from another device with the same Google account.

Let’s get started with integrating the Credential Manager API into our app.

There are 2 types of Authentication provided by the Credential Manager API- using Passkeys and using Passwords.

🔐Authentication using passkeys

When using Passkeys users can sign in quickly and securely like by using biometrics, PIN, or Patterns.

Why is it quicker and how is it safe, then?

It is quicker and safer because- Passkeys rely on WebAuthn (Web Authentication), a standard jointly developed by the FIDO Alliance and the World Wide Web Consortium (W3C), which internally uses public key cryptography to authenticate users.

There is a detailed blog by Android Developers about how to use passkeys. You can check it by following this link.

If you want to deep dive into how passkeys work in general, you can check out this link.

🔐Authentication using Passwords

In this blog, we are going to see how we can use Credential Manager to securely save our app users’ login data using their usernames and passwords.

Github Repo (PRs welcomed) for the same can be found here- https://github.com/novumlogic/CredManager

Prerequisites

For using the Credential Manager API your app must be running on Android 4.4 (API level 19) and higher.

Compilation Prerequisites

Some alpha versions (1.2.0-<alpha_version>) of the API run only on certain SDK versions. Check these out here.

I am running Android 14 Beta 1 on my pixel device, so the version 1.2.0-alpha03 works on my device. However, I can also run the below-mentioned versions and get a seamless experience as well.

Adding Dependencies

Inside your app-level build.gradle file add the following dependencies

Interface to let users login/register with our app

Next, we need to prepare a simple login/register page for the same to allow users to enter their usernames and passwords in our app.

This image depicts Login of credentials
Login

For First time users

If a user is a first-time user of your app, once they are verified (on your server or using the likes of Firebase Authentication), you need to save their credentials with the Credential Manager.

After verification of the user, the app now saves the credentials like so-

Initialize the Credential Manager

Use CreatePasswordRequest to save the user credentials with the Google Password Manager

Handling Exceptions

After createCredential() is successful, we can let the user into our app.

Recurring User Login

Now let’s discuss the flow of our application when the users need to log in to our app again or log in from some other device (which has the same Google account with which they have already saved their credentials).

To proceed with this flow, we need to evaluate whether the new login is done by

  1. A new user or
  2. A user who has not saved their credentials with us or
  3. A user who has saved their credentials with us in the past

In the 1st two cases, we need to follow the same procedure as with the First Time Users flow (i.e. verify or register the user and save their credentials with the Credential Manager).

In the 3rd case, we need to retrieve the saved credentials and directly let the user log in to our app without requiring them to enter their username and password.

NOTE- In this case, we do not need to show the username and password TextFields but only the login button.

This image depicts of Re-login of Credentials
Re-login

The flow of our app for the 3rd scenario would be like so-

Check whether the credentials are already saved or not
Initialize the Credential Manager like before. (Reuse the same instance)
Initialize the password authentication option
Fetch the password credentails and return them
Handling Exceptions

After getCredential() is successful, log in your user into our app.

That’s All Folks!

📝 Credential Manager API still in Alpha

This API is still in alpha and I have faced an issue with using the latest version to this date. I have logged the same with the official issue tracker. It can be found here.

🔩 Some loose ends still to connect

I mentioned in the blog that we show username-password fields for first-time users to ask them to save credentials and show only the login button to use one of the saved credentials from the API.

But there is, till now, no way to check if there are some saved credentials to determine our app’s flow. Shall we use the GetPasswordOption() or call the GetCredentialRequest() method to confirm this? Or the API team is planning to add more support for this? All this is still unclear as of now.

PS: For now, I used getCredential() to determine if there are some saved credentials or not. But that opens the dialog to choose saved credentials and does not let us direct the flow as we need. I have created an issue for the same here. This flow is still not 100% optimized in the demo app I made 😕, thus PRs to it are welcomed! 🙌

👩‍🏫 Educate users on how to delete the saved passwords anytime

As developers, we all know that the saved passwords are indeed secure with Google’s On-Device Password Manager how we can delete the saved passwords easily. However, the users may require some knowledge about it. And it is good to educate our users on the steps with which they can feel secure if they want to revert their decision of saving the passwords.

Here are the steps to delete the saved credentials-

  1. Go to settings in your device
  2. Go to Google
  3. Click on ‘Manage your Google Account’
  4. Go to the ‘Security’ tab
  5. Navigate down to the ‘Signing in to other sites’
    Here we can see that Google’s Password Manager has 2 saved passwords. This itself is reassuring of the security. However, if the user still wishes to go ahead and delete the saved passwords,

6. Click on ‘Password Manager’

7. Choose your app (listed under the title of your app’s package name)

8. Delete the saved creds.

✏️To sum up

We saw how Credential Manager is a useful API to provide a seamless and safe login experience for your app users. We saw the two authentication methods available for us to allow our users to log in. We saw how we can use the username-password authentication method to save and retrieve user Credentials with the Credential Manager to have a seamless login experience as first-time logins and recurring logins. The library is still in alpha and I think we should wait for it to mature a bit before using it in our apps.

Meanwhile, we can still use Biometric Authentication to ensure secure logins.

Previous Post
Jest — A Powerful JavaScript Testing Framework
Next Post
Bringing Firebase Crashlytics into Android Studio with Electric Ele’s App Quality Insights Tool Window

Archives

Categories