Google users can now use an iPhone or Android device as a security key to sign into their accounts, utilizing a technique that improves their defense against phishing attacks, the company announced Wednesday.
In a blog post, a product manager for Google’s Advanced Protection Program wrote that people who exclusively use security keys when logging in to their accounts “never fell victim to targeted phishing attacks.” Yet security keys, which are more secure than text-based authentication, typically are available in the form of a standalone physical device, an inconvenience that may discourage adoption.
Google’s update Wednesday is a significant step toward solving that problem. Instead of plugging a key into a USB slot, users just need to have their phones close to their machines.
“Everything becomes much simpler when the things we’re already carrying around — our smartphones — have a built-in security key,” Shuvo Chatterjee said in the post. “That’s been the case on Android since last year, and starting today you can activate a security key on your iPhone as well. Millions of people around the world — many high-risk users among them — use iPhones, and this new capability makes Advanced Protection significantly easier for them.”
It works like this: A user connects their phone to their computer via Bluetooth. A Google login attempt on a computer triggers a push notification to the phone, and they’re required to press a button on Google’s Smart Lock app to complete the authentication process.
The effort coincides with other security initiatives from Google, such as the expansion of “predictive phishing” tools meant to protect credentials in Chrome.
The upgrade comes amid a growing recognition that, while text-based two-factor authentication provides more security than only a username and password, that technique is not the most secure option. Security hardware options like Yubico’s Yubikey have made advancements, while other technologies like password management tools also are experiencing new interest.