Google has announced Android phones can now be used as a Bluetooth-based security key to be used for two-factor authentication. The new functionality enables users to add an additional layer of security to a Google account via the Chrome browser.
The new feature, which applies to a personal Google account as well as G Suite, might save Android users from buying a dedicated security key dongle to gain access to their account.
It will also enable Google account holders to move from the current two-step verification method – which commonly combines a password plus a text code – to full two-factor authentication, which combines two of a password, security key and a biometric indicator like a fingerprint.
The FIDO-based physical key makes sure that hackers trying to steal credential information to illegally log into a Google account cannot do so as users are required to tap their key during suspicious or unrecognised sign-in attempts.
To make things even more secure for millions of Android users, Google has now made all Android 7 and above smartphones physical keys to log into Google accounts. Currently in Beta, the feature will allow all Android users to use their phones for two-factor authentication during sign-up into all Google accounts.
Google product manager Christiaan Brand explained,
“The fact that your browser on your machine and your phone communicate using a local protocol and does not go via the cloud. All other push-based technology so far is kind of based on the fact that there’s a message being sent throughout the cloud. Here, we’re saying no, the message will be local. And that is essential to this phishing resistance. Having this local protocol between the two devices is what makes this technology strongly resistant to phishing.”
He said the physical security key dongles are less convenient because in today’s world, because they can often mean having a cable that fits both the key and the host device.
“Asking the user to have a cable ready that’ll fit both their device and the machine they’re trying to sign in at some point in time almost takes away all the convenience of being able to use your phone.
“The chance that you have your phone there is very, very high. But the chance that you have the exact correct cable is very low. At that point in time, it might just be the same as having to carry around a physical security key.”
How to use your Android device as a physical security key
To use the built-in security key on your Android phone, Google has detailed a number of prerequisites which are as follows:
- You need an Android phone running Android 7.0 or up.
- You also need a computed that has Bluetooth, latest version of the Chrome browser, the latest version of a compatible operating system like Chrome OS, Mac OS, or Windows
How to Add the security key to your Google Account
- Users will first need to turn on 2-Step verification in their Google accounts and add a verification method like Google Prompts. You can get a prompt for 2-Step Verification on Android phones with updated Google Play services
- On your Android phone, go to myaccount.google.com/security.
- Under “Signing in to Google,” select 2-Step Verification. You might need to sign in.
- Scroll down to “Set up an alternative second step.”
- Select Add Security Key and choose your Android phone from the list. simply turn it on.
How to Use your Android phone as a security key
- Make sure your computer’s Bluetooth is turned on.
- Sign in to your Google Account with your username and password.
- Check your Android phone for a notification.
- On your Android phone, double-tap the “Are you trying to sign in?” notification.
- Follow the instructions to confirm it’s you signing in.
Google also recommends using a backup security key to your account and keeping it in a safe place just in case you lose your phone.