Last year, Google announced that all Android 7+ devices can be used as two-factor authentication when signing into Gmail, Drive, and other first-party services. Most modern iPhones can now be used as a built-in phone security key for Google apps.
Most people today are increasingly familiar with 2FA through codes sent via SMS. However, this is widely regarded as being insecure, and safer alternatives like physical security keys that you plug into your phone or computer are recommended. A new solution is using your phone’s hardware to verify that you’re the one logging in.
A built-in phone security key differs from the Google Prompt, though both essentially share the same UI. The latter push-based approach is found in the Google Search app and Gmail, while today’s announcement is more akin to a physical USB-C/Lightning key in terms of being resistant to phishing attempts and verifying who you are. Your phone security key needs to be physically near (within Bluetooth range) the device that wants to log-in. The login prompt is not just being sent over an internet connection.
With an update to the Google Smart Lock app on iOS this week, “you can now set up your phone’s built-in security key.” According to one Googler today, the company is leveraging the Secure Enclave found on Apple’s A-Series chips. Storing Touch ID, Face ID, and other cryptographic data, it was first introduced on the iPhone 5s, though that particular device no longer supports iOS 13.
Anytime users enter a Google Account username and password, they’ll be prompted to open Smart Lock on their nearby iPhone to confirm a sign-in. There’s also the option to cancel with “No, it’s not me.”
This only works when signing-in to Google with Chrome, while Bluetooth on both the desktop computer and phone needs to be enabled as the devices are locally communicating the confirmation request and verification.
After installing the update, you’re prompted to select an account to “Set up your phone’s built-in security key.” Smart Lock was previously just used for allowing Bluetooth security keys, as well as generating one-time security codes. Google also “refreshed the app’s design to make it easier to use” with version 1.6.
FTC: We use income earning auto affiliate links. More.