Google announced today that any phone running Android 7 or higher can now be used as a physical security key for two-factor authentication, giving you an even more secure way to log into Google apps than several other existing 2FA methods that Google provides right now. So when if you want a physical device to verify your login, you don’t have to buy a dongle — you can just use your phone.
To make your Android phone your security key, you’ll just need to connect your phone through Bluetooth to a Chrome browser to verify logins. (Some older desktop PCs don’t have Bluetooth, but it’s pretty universal on laptops.) The new authentication scheme works on Gmail, G Suite, Google Cloud, and any other Google account service, and uses the FIDO authentication standard. Google says other websites might join in later on, but it’s still in the process of certifying its authentication service.
Two-factor authentication can help prevent unauthorized logins in the event that someone gets your password, which is important when leaks and phishing attacks can put accounts at risk. Google recommends that everyone use their phone as a security key, but, in particular, it recommends it for “journalists, activists, business leaders, and political campaign teams who are at risk of targeted online attacks.”
Not all methods of two-factor authentication are equally secure, and Google has historically offered a whole bunch: SMS verification codes (which have known weaknesses), the Google Authenticator’s rotating codes, and Google Prompt, which let your Android phone and a Google service on your computer directly communicate with each other over the internet. The new physical security key option works very similarly to Google Prompt — as you can see in the screenshots below — but now it requires your phone to be physically near your computer, thwarting those who might attempt to spoof your account from halfway around the world.
It also uses a pair of authentication protocols, FIDO and WebAuthn, to double-check that you’re on the right website and not getting phished.
To activate your Android phone as a security key, you just need a phone running Android 7 or higher and a separate Chrome browser open either on a Chrome OS, macOS, or Windows 10 device. First, sign in to your Google Account on an Android phone and turn on Bluetooth. Then open myaccount.google.com/security in Chrome on your second device and tap “two-step verification.” Select the option to add a security key, and choose your phone from the list of devices.
If you’re using a Pixel 3, you’ll be able to use the volume down button to activate your security key, as Google says it’s storing FIDO credentials inside the Pixel’s Titan M chip, which can verify that button presses are legitimate. Other Android 7 and higher devices can still be used as two-factor authentication methods, but they’ll be required to sign in and tap a button.
For now, the service is only available on Android phones, and it’s exclusively for logins to Google services, not to third-party sites. Google says that since the new technology runs on the same protocols, including FIDO standards, that a physical security key would, it’s only a matter of time before other companies implement similar technology. Other browsers besides Chrome could gain support, and other services could eventually expand to use Android phones as security keys. Google says it’s in the process of working toward this eventual goal.