by John E Dunn
Google just announced a new security feature that allows users of Android 7 and later to use their smartphones to authenticate themselves to their Google accounts.
The surprise announcement was buried inside a pile of enterprise-oriented enhancements revealed at Google Cloud Next 2019 in San Francisco on Wednesday.
Released in beta, the feature is designed to protect Google users from phishing attacks. Once enabled, the user logs into their Google account using their username and password as normal before authenticating that their enrolled smartphone is present by clicking on a message that appears on the screen.
It’s identical in principle to using a FIDO USB token such as the YubiKey (or Google’s Titan key equivalent launched last year), except that the smartphone itself becomes the token.
This defeats phishing in the same way a token does because even if attackers get hold of someone’s Google username and password they can’t access the account without also having the smartphone.
To use your Android phone (tablets don’t appear to be supported yet) as a security key, you must have a phone running Android version 7.x or later, and you need to turn on Bluetooth.
Your computer must also have Bluetooth, and be running the latest version of the Chrome browser, on a Chrome OS, macOS X or Windows computer.
How to turn it on
From Google’s support blog:
Step 1: Add the security key to your Google Account
Turn on 2-Step Verification and add a verification method like Google Prompt.
If you already use 2-Step Verification, you can move on.
On your Android phone, go to myaccount.google.com/security.
Under “Signing in to Google,” select 2-Step Verification. You might need to sign in.
Scroll down to “Set up an alternative second step.”
Author: John E Dunn