Google now has a new way of enabling two-factor authentication: using your phone as the near-equivalent of a physical security key.
You should already be familiar with two-factor authentication: Typically, you’ll secure a web-based application like Gmail by not only inputting a password, but also providing a second means of authentication, such as an SMS code sent to your phone, or a code provided by an authentication app such as those listed in the link above.
There’s an alternative 2FA method that doesn’t receive as much attention: a physical hardware dongle, like a YubiKey, that authenticates by being physically inserted into your PC. Think of it as a car key: You own it, you have it, so you must be who you say you are.
Google’s new use of an Android phone as a “hardware dongle” is almost, but not quite, the same. Instead of sending a notification to an app on your phone—which an attacker could access if you lost the phone and they knew your PIN code—the website or service tries to connect to your phone via Bluetooth. Google’s new 2FA method doesn’t require a dongle to be physically inserted into a PC, but since Bluetooth’s range is relatively short, the odds of an attacker accessing your unlocked phone while remaining physically near your PC are relatively low.
Otherwise, the way in which this two-factor authentication works should be familiar: You log in, the service sends a “Are you trying to sign in?” request to your phone, and then you confirm that yes, it’s you. Right now, Google’s new authentication is confined to its own services like Gmail and G Suite, and requires a phone running Android 7 or above. There’s no indication of this being tied to WebAuthn to enable 2FA on websites, though.
Google’s security page details the steps that are required:
- Enable two-factor authentication, if you haven’t already, on the web service in question.
- On your Android phone, go to myaccount.google.com/security.
- Under “Signing in to Google,” select 2-Step Verification.
- Scroll down to “Set up an alternative second step.”
- Select Add Security Key Your Android phone Turn on.
There’s one bonus for users who own a Pixel 3: Instead of actually requiring you to unlock your phone, you can (optionally) just tap the volume-down button to confirm the authentication request.