Last year at Cloud Next, Google announced its own Titan Security Key as part of a push to encourage two-step verification. These small devices fight phishing by requiring a physical confirmation that you are the one logging into an account. Google today announced that all Android 7+ phones can be used as security keys to sign into the company’s services.
Google refers to two-factor authentication (2FA) as two-step verification (2SV) and advocates that all users add an extra layer of security when logging in. Security keys are the preferred method for being the “most phishing-resistant method of 2SV on the market today” by proving that you’re visiting the correct, non-spoofed site.
These key-shaped USB devices or Bluetooth-connected fobs feature a button that are tapped during sign-in. While the keys are as affordable as $20, Google is further encouraging adoption by making your current phone a security key.
Phone security keys can be set up on any Android 7 or newer device starting today thanks to Google Play Services. They are identical to an actual security key and work with multiple personal and enterprise Google Accounts. When logging into Google, users enter their username and password as usual. A prompt will then appear on their phone to confirm the sign-in attempt. Bluetooth and location services have to be enabled on both devices.
Update 5/7: Roughly a month after the initial announcement, Google has confirmed that this functionality is now “generally available” to all users, meaning that if you didn’t already have access you should at this point. This was announced on stage at the I/O keynote and further confirmed in a blog post. The functionality is rolling out worldwide to all Android 7.0+ devices.
On a Pixel 3, phone security keys take advantage of the Titan M to store FIDO credentials. Since this dedicated chip is hardwired to the volume down button, users have to hold down when authenticating. On all other Android devices, there will be a on-screen button to tap, just like the Google Prompt.
Behind-the-scenes, the same WebAuthn and FIDO APIs for physical security keys are being used on the phone. However, Google did take the extra step of making the entire exchange pairing-less so users do not have to pair a computer and phone over Bluetooth ahead of time. Google is currently standardizing this new process into FIDO. Overall, Google hopes that other browsers and web services will eventually add support for phone security keys.
To activate, users need an Android Nougat, Oreo, Pie, or soon Q phone and Bluetooth-enabled Chrome OS, macOS, or Windows 10 computer with the latest Chrome (72+) browser installed. The same Google Account has to be signed into both devices.
- Sign into your Google Account on your Android phone and turn on Bluetooth
- On your computer, navigate to myaccount.google.com/security
- Select 2-Step Verification
- Click “Add a security key”
- Choose your phone from the list of available devices
Google encourages all 2SV users to register another security key in case the first is lost. The company recommends its own FIDO key, or one made from a third-party vendor. Phone security keys are can be turned on starting today.