Technology

Don’t Buy Physical Security Key, You Can Use Your Android Phone Instead

Android phone as physical security key
geralt / Pixabay

Two-factor authentication or 2FA gives you an additional layer of security, but implementing it is not always easy. You need to carry an extra dongle with you all the time. Google, however, plans to make this additional security layer easier by allowing you to use your Android phone as a physical security key.

Google’s new security measure – why it’s better?

In two-factor authentication, web apps, such as Gmail, allow users to secure their account with one additional security method besides just their password, such as an SMS code sent to the user’s phone. Apart from this, there is one more way to use the 2FA method, i.e., the use of a hardware dongle.

Such a key authenticates when a user inserts the dongle into the device, similar to a car key. Such a method, however, is not always convenient as users need to carry a dongle with them all the time. Google, however, wants to free users of such a burden.

On Wednesday, Google announced that phones running on Android 7 or higher can now be used in place of a physical security key for 2FA. It will allow users to easily and securely log in to Google apps. This means that you don’t have to buy an additional dongle to verify your login.

Image Source: Google (screenshot)

“Starting today in beta, your phone can be your security key—it’s built into devices running Android 7.0+. This makes it easier and more convenient for you to unlock this powerful protection, without having to carry around additional security keys,” Google said in a blog post.

Why it is more secure?

If you use your phone for 2FA, the website or the service that you are trying to login to connects to your Android phone via Bluetooth. There is no need to insert your phone physically into the PC (via USB). Apart from connecting via Bluetooth, Google’s new two-factor authentication works similar to dongle-based 2FA.

Some may argue that since the phone connects with the web service via Bluetooth, a hacker may access the phone. Yes, it is possible, but chances are extremely rare as Bluetooth’s range is relatively short. Thus, the attacker has to be very near to your PC or phone to access the codes.

Google’s new security measure is quite similar to Google Prompt, which is one of the ways two-factor authentication works. Google Prompt lets your phone communicate with a Google service on your computer via the Internet. However, the new service requires your phone to be very near (physically) to your PC.

Moreover, Google’s new security measure also uses two authentication protocols – FIDO and WebAuthn. The use of two protocols ensures that you are on the right website and not a fake one.

How to use your Android phone as physical security key?

To use your Android phone as a physical security key, you must first login to the service and connect your phone through Bluetooth to a Chrome browser to verify logins. The service will then send you the message “Are you trying to sign in?” on your phone. After you confirm it, you will be allowed to access the service on your PC.

Moreover, to enable Google’s new security measure on your phone, go to myaccount.google.com/security on your Android phone. Then select 2-Step Verification from “Signing in to Google,” and then scroll down to “Set up an alternative second step.” Next, click on Add Security Key and then select Your Android phone.

“In a few minutes, you can set up your compatible Android phone’s built-in security key to help you securely sign in on a nearby computer,” Google said in a blog post.

To use this new 2FA method your phone must run Android 7 or above. For now, you can only use your Android phone as a physical security key for Google’s own services, such as Gmail, G Suite, Google Cloud, and other Google account services. Google says that other websites might join later and that other browsers might also gain support.

As can be expected, Google has given Pixel 3 users a special benefit. Instead of unlocking the phone to confirm the request, the Pixel 3 owners can just tap the volume-down button. Google says that it is storing the FIDO credentials in the Pixel’s Titan M chip, and this helps verify the authenticity of the button presses.

Google recommends all users to use their Android phone as a security key, but in particular, it recommends such a method for “journalists, activists, business leaders, and political campaign teams who are at risk of targeted online attacks.”