The use of hardware two-step verification (2SV) to secure your Google account has long been a thing; a highly recommended thing at that. Whether using Google’s own Titan keys or a third-party alternative such as a YubiKey, the user experience has been a poor one for most people. Not only is the process of connecting the key to your device and account somewhat complex for the average user, but the keys themselves can cost as much as £60 depending upon model. That is all about to change as Google has announced that your Android smartphone will now be able to be used as a Fast Identity Online (FIDO) security key instead.
What has Google said?
Arnar Birgisson, a Google software engineer and product manager Christiaan Brand, announced that, with immediate effect, the ability to use your phone as a security key will be available to all in beta form; and it’s built right into your device already, as long as it’s running Android 7 (Nougat) or later. “Use it to protect your personal Google Account, as well as your Google Cloud Accounts at work” they said, adding “we also recommend it for people in our Advanced Protection Program – like journalists, activists, business leaders and political campaign teams who are most at risk of targeted online attacks.” This is possible by way of a new protocol that Google has developed that, apparently, uses Bluetooth but bypasses the usual connection setup process. Unfortunately, detail is scarce surrounding exactly how this works at this moment in time.
What will your phone key protect?
Getting access to your personal Google account is a high value proposition for any cyber-criminal, be that through social engineering (phishing for example) or a data breach that exposes usernames and passwords that have been reused across different services. Once access to your Google account is accomplished, especially if you use Gmail as well, then the attacker quite literally gets hold of the keys to your data kingdom. But as well as providing a secondary user verification factor to help prevent such account access being successful in the first place, even when your login credentials have been compromised, the new phone key will also protect G Suite, Cloud Identity and Google Cloud Platform accounts.
How do I enable it?
First of all it should be noted that the new functionality only applies to your phone as Google has specifically not rolled it out for tablet device usage. Second your phone needs to have both Bluetooth and location services enabled. Thirdly, it currently only works in combination with a Bluetooth-enabled Chrome OS, macOS or Windows 10 computer running a Chrome browser.
OK, so those pre-requisites aside, the setup is pretty straightforward for a physical FIDO key.
1. Sign into your Google account on your phone.
2. Sign into your Google account on your computer and go to myaccount.google.com/security
3. Select the two-step verification option.
4. Select the ‘add security key’ option.
5. Select your phone from the list of available devices.
That’s it, as long as Bluetooth is enabled on both devices you will now be able to sign into your account using your phone as the security key. It is then just a matter of hitting the approve button on your phone screen that will pop-up after entering your login credentials when signing into your account. For Pixel 3 users it’s a matter of pressing the volume down button as that device has a built-in Titan M chip that stores FIDO credentials and the volume down button is hardwired to it.
What are the benefits over the Google Authenticator app?
The two most commonly used methods of adding a secondary verification factor are codes generated by either SMS text message or an authenticator app. The text message option should be avoided if at all possible as hackers have long since worked out ways to intercept these. The authenticator app route is more secure but is exposed to the security weakness that is the user themselves. If someone manages, by way of a phishing attack or other social engineering scam, to divert you to an official-looking but cloned version of the Google account site then your code won’t save you. The code you enter will be copied and entered into the real account entry page and access granted within the code expiry limits. Using a hardware key means that cryptographic keys don’t travel across the internet but are stored in a Trusted Execution Environment (TEE) within your phone’s processor (Pixel 3 phones are an exception, as mentioned before, and use a custom Titan chip for such storage.) This means that without physical access to your phone, no hacker can access your secondary verification key.
Are there any drawbacks?
Yes. First of all the system is still in beta, which means that it is still being tested. You may not want to risk putting your two-step verification process into the hands of an, as yet, unfinished system. Then there’s the cost thing I mentioned earlier. While you already have your phone, Google is recommending that you register a secondary, backup key to your account in case your phone gets lost or stolen. Which means you still need to buy a key and still have the less than straightforward installation process to maneuver through.