Google today announced a new feature for Android 7+ devices (via an update to its proprietary Google Play Services software) that effectively turns these devices into a two-factor authentication security key. The feature uses the FIDO Alliance protocols, which have become an industry standard for hardware security keys.
Android Smartphones as Security Keys
Last year, Google learned through a year-long experiment within its own organization, that hardware security keys are basically impervious to phishing attacks. This prompted the company to build and sell its own hardware security token, the Google Titan Security Key.
However, not everyone wants to pay $20-$50 for such a key, and most people may not want to deal with the hassle of using an extra gadget, even if they can tie it to their keychain.
Turning your personal phone into a security key seems like the next best option that should be safer than say SMS-based two-factor authentication, which can be intercepted, while also providing high convenience.
Google’s implementation of this Android feature also uses the FIDO standards, which means that it should be supported in whichever browser or operating system that supports those standards. For now that includes only Chrome, but Firefox and the upcoming Chromium-based Edge browser should also support it in the near future.
The Windows 10 operating system may also support it in the near-future, as Microsoft is a member of the FIDO Alliance, as well as an early adopter of the FIDO standards.
How to Activate Android’s Security Key Feature
As mentioned above, first you need a smartphone running Android 7 or newer. This should include most phones from 2017 and on. Next, you need to use a Bluetooth-enabled Chrome OS, macOS X or Windows 10 computer with a Chrome browser. Make sure your phone's Bluetooth is activated.
Next, follow these four steps:
- Add your Google Account to your Android phone.
- Make sure you’re enrolled in 2SV.
- On your computer, visit the 2SV settings, and click "Add security key".
- Choose your Android phone from the list of available devices.
Google recommends registering a backup security key (either hardware token or phone), in case you lose your main one. If you lose your main security key and you don’t have a backup, you may not be able to get back into your Google account or whatever service for which you enabled the security key-based two-factor authentication.