Google announced today that any phone running Android 7 or higher can now be used as a physical
security key for two-factor authentication, giving you an even more
secure way to log into Google apps than several other existing 2FA
methods that Google provides right now. So when if you want a physical
device to verify your login, you don’t have to buy a dongle — you can just use your phone.
To make your Android phone your security key, you’ll just
need to connect your phone through Bluetooth to a Chrome browser to
verify logins. (Some older desktop PCs don’t have Bluetooth, but it’s
pretty universal on laptops.) The new authentication scheme works on
Gmail, G Suite, Google Cloud, and any other Google account service, and
uses the FIDO authentication standard. Google says other websites might
join in later on, but it’s still in the process of certifying its
authentication service.
Two-factor authentication can help prevent unauthorized
logins in the event that someone gets your password, which is important
when leaks and phishing attacks can put accounts at risk. Google
recommends that everyone use their phone as a security key, but, in
particular, it recommends it for “journalists, activists, business
leaders, and political campaign teams who are at risk of targeted online
attacks.”
Not all methods of two-factor authentication are equally
secure, and Google has historically offered a whole bunch: SMS
verification codes (which have known weaknesses),
the Google Authenticator’s rotating codes, and Google Prompt, which let
your Android phone and a Google service on your computer directly
communicate with each other over the internet. The new physical security
key option works very similarly to Google Prompt — as you can see in
the screenshots below — but now it requires your phone to be physically
near your computer, thwarting those who might attempt to spoof your
account from halfway around the world.
:no_upscale()/cdn.vox-cdn.com/uploads/chorus_asset/file/16022307/google.jpg)
It also uses a pair of authentication protocols, FIDO and
WebAuthn, to double-check that you’re on the right website and not
getting phished.
To activate your Android phone as a security key, you
just need a phone running Android 7 or higher and a separate Chrome
browser open either on a Chrome OS, macOS, or Windows 10 device. First,
sign in to your Google Account on an Android phone and turn on
Bluetooth. Then open myaccount.google.com/security
in Chrome on your second device and tap “two-step verification.” Select
the option to add a security key, and choose your phone from the list
of devices.
:no_upscale()/cdn.vox-cdn.com/uploads/chorus_asset/file/16022624/2_step_security_key.jpg)
If you’re using a Pixel 3, you’ll be able to use the
volume down button to activate your security key, as Google says it’s
storing FIDO credentials inside the Pixel’s Titan M chip,
which can verify that button presses are legitimate. Other Android 7
and higher devices can still be used as two-factor authentication
methods, but they’ll be required to sign in and tap a button.
For now, the service is only available on Android phones,
and it’s exclusively for logins to Google services, not to third-party
sites. Google says that since the new technology runs on the same
protocols, including FIDO standards, that a physical security key would,
it’s only a matter of time before other companies implement similar
technology. Other browsers besides Chrome could gain support, and other
services could eventually expand to use Android phones as security keys.
Google says it’s in the process of working toward this eventual goal.