iPhones can now be set up as physical authentication keys

[Cal Jeffrey]

What just happened? If you use 2FA for your online accounts, good for you. If you use a physical key fob, even better. Android devices gained the ability to be used as physical authentication keys last year. Now, iPhones using Google's Smart Lock app can have the same functionality, albeit with some limitations.

Google just pushed an update to its iOS "Smart Lock" app that allows iPhones to act as a physical two-factor-authentication (2FA) key. Now when logging into first-party services in Chrome, a notification is sent to the phone so users can verify their identity through the Smart Lock app.

The authentication key is sent via Bluetooth rather than messaging the user a code, which could be intercepted. This method also thwarts SIM-swapping attacks since the scammer would have to have physical access to the device. SIM swapping is arguably 2FA's main weakness since attackers can generate 2FA codes after they have control of the victim's number. Despite that, it is still one of the best ways to protect your online accounts. It is made even stronger by using physical authentication methods.

It uses the Secure Enclave as a security key, it's pretty cool.

— Filippo Valsorda (@FiloSottile) January 14, 2020

This functionality has been available on Android devices since last April, but is the first appearance on the iPhone.

It uses the iPhone processor's Secure Enclave, which stores encrypted security keys on the device. Secure Enclave was introduced with the iPhone 5S, so it will not work on earlier models. The Smart Lock app also requires iOS 10 or later to work. Google updated its 2FA Security Key support page with setup and usage instructions.

After users have added their iPhone's authentication key to their Google account, they can sign into any Google service, such as Gmail, as long as they are browsing with Chrome and have their phone nearby. Alternative browsers like Microsoft's Edge or Apple's Safari are not supported. The Verge notes that if you try using it in these browsers, you will be prompted to insert a key fob.

Google was not forthcoming on whether support was coming for other browsers.

Permalink to story.

https://www.techspot.com/news/83570-iphones-can-now-set-up-physical-authentication-keys.html

 

[hahahanoobs]

"Only works with Google accounts being accessed via Chrome but better than nothing"

Same with Android.
Then add Android 7 or higher and Windows 10 to the requirements.

 

[Ravey]

Yet another app... I get the feeling they do this just to grab more user data ... Still if anyone has set this up already and tried it, let us know

 

[Cal Jeffrey]

Yet another app... I get the feeling they do this just to grab more user data ... Still if anyone has set this up already and tried it, let us know

I thought about setting it up for a hot second, but decided against it. It's too proprietary. If they open it up more I might think about it again.

 

[bviktor]

The main reason with such key solutions is always that what happens when you lose access to the device.

 

[bviktor]

Oh, actually, turns out, it's pretty useless. Chrome-only, Google-only.

"The new iPhone support appears to be limited to authenticating Google logins from the Chrome browser. When we attempted to use an iPhone to authenticate a login of the same service (we tested with Gmail) using Safari on a MacBook, we were prompted to insert our key fob (which we don’t have), meaning it created an extra step in our login process where we had to pick an alternative 2FA option."