Emil Protalinski* says we can now use our Android phone as a two-factor authentication security key for Google accounts.
Photo: Matthew Kwong
Google has announced that phones running Android 7.0 Nougat and higher can now double as a Fast Identity Online (FIDO) security key.
You can thus use your Android phone to protect your personal Google account, and your G Suite, Cloud Identity, and Google Cloud Platform work accounts.
(Android tablets aren’t supported – Google specifically limited the functionality since users are more likely to have phones with them.)
This means Android phones can move from two-step verification (2SV) to two-factor authentication (2FA).
2SV is a method of confirming a user’s identity using something they know (password) and a second thing they know (a code sent via text message).
2FA is a method of confirming a user’s identity by using a combination of two different factors: something they know (password), something they have (security key), or something they are (fingerprint).
Why security keys are superior
Using 2FA means a remote hacker can’t use phishing to trick you into handing over your online credentials.
2SV — entering a code sent via a text, mobile app, or push notification — is better than just using a password.
But 2FA via a security key or phone is even better.
“It’s a second thing that I carry around with me wherever I want to login somewhere and I need to prove my identity by having this thing in my hand,” Google product manager Christiaan Brand explains.
“But it’s proving that I’m at the correct website at the point in time when I am trying to login.”
“So the solution here really is that security keys prevent you from sending your credentials to a phishing website.”
FIDO security keys prevent your account from being phished by requiring you to plug in and tap your physical device.
Google wants to bring those benefits to more people by having Android phones act as security keys.
How Android phone security keys work
Unlike other similar technologies, Google’s solution has a local requirement.
“The big difference here is that local proximity,” Brand emphasised.
“The fact that your browser on your machine and your phone communicate using a local protocol and does not go via the cloud.”
“All other push-based technology so far is kind of based on the fact that there’s a message being sent throughout the cloud.”
“Having this local protocol between the two devices is what makes this technology strongly resistant to phishing.”
FIDO’s proximity requirement ensures that the user trying to login and the security key are in the same location.
With security keys, that is accomplished via the USB port or via Bluetooth.
With Android phone security keys, Google chose Bluetooth for convenience purposes.
Google’s solution uses the FIDO protocol between your computer and phone (CTAP API), and also requires that the browser tells the phone which website the user is viewing (WebAuthn).
The company further used the available extension mechanism to build a local proximity protocol on top of Bluetooth.
Called cloud-assisted Bluetooth Low Energy (caBLE), the extension doesn’t require pairing, installing an app, or plugging anything in.
Using your Android phone as a security key
To use your Android phone as a security key, you will need a Bluetooth-enabled Chrome OS, macOS X, or Windows 10 computer with Chrome 72 or higher.
Follow these steps to get started:
- Sign into your Google Account on your Android phone and turn on Bluetooth.
- On your computer, navigate to myaccount.google.com/security (you have to be signed into the same account).
- Select 2-Step Verification.
- Click “Add a security key”.
- Choose your phone from the list of available devices.
Everyone will have to go through this process before they can use their Android phone as a security key.
Once enabled, the user experience is straightforward.
After you type in your password, your phone will prompt you to approve the login.
You’ll just have to hit a button on your screen.
On Pixel 3 devices, you’ll have to hit the volume-down button, which is hardwired to the Titan M chip — where Google stores your FIDO credentials for that extra bit of assurance.
Note that the user experience when using your phone as your security key is very simple.
“It is more or less the same as approving a prompt on your phone, which is a big plus,” Brand told VentureBeat.
“Under the covers, however, the phone and computer are communicating with the FIDO CTAP protocol over Bluetooth and the website and computer are communicating with the WebAuthn protocol and this adds the phishing-resistance.”
“This is the crucial and huge additional security boost.”
Limitations
Last year, Google launched the $50 Titan Security Key, its own take on a FIDO security key.
Maybe it’s fitting that this latest development makes that security key less useful.
We say less useful because Google still recommends that you use your phone as an additional security key.
If you lose your phone, it’s good to have a backup USB key at home, especially if you’re a consumer.
An administrator can always reset your work account.
If you’re a consumer, however, and you lose your security key, you’re out of luck.
The phone security key solution isn’t limited to any specific geographies because it’s being rolled out via Google Play Services, which is how the company can offer it on older Android devices.
It requires Chrome, but because Google built it using open standards, the company hopes other browsers will adopt it as well.
The same goes for iOS: Google hopes the functionality will work on Apple’s mobile devices one day too.
But for now at least, the feature can only be used for 2FA on Google accounts.
Google has submitted caBLE to FIDO and it’s under review by the working group.
Letting other companies use the technology is on the roadmap, but Google wouldn’t commit to a date.
* Emil Protalinski is News Editor at VentureBeat. He tweets at @EPro.
This article first appeared at venturebeat.com.
