Google just pushed an update to its iOS "Smart Lock" app that allows iPhones to act as a physical two-factor-authentication (2FA) key. Now when logging into first-party services in Chrome, a notification is sent to the phone so users can verify their identity through the Smart Lock app.
The authentication key is sent via Bluetooth rather than messaging the user a code, which could be intercepted. This method also thwarts SIM-swapping attacks since the scammer would have to have physical access to the device. SIM swapping is arguably 2FA's main weakness since attackers can generate 2FA codes after they have control of the victim's number. Despite that, it is still one of the best ways to protect your online accounts. It is made even stronger by using physical authentication methods.
It uses the Secure Enclave as a security key, it's pretty cool.— Filippo Valsorda (@FiloSottile) January 14, 2020
This functionality has been available on Android devices since last April, but is the first appearance on the iPhone.
It uses the iPhone processor's Secure Enclave, which stores encrypted security keys on the device. Secure Enclave was introduced with the iPhone 5S, so it will not work on earlier models. The Smart Lock app also requires iOS 10 or later to work. Google updated its 2FA Security Key support page with setup and usage instructions.
After users have added their iPhone's authentication key to their Google account, they can sign into any Google service, such as Gmail, as long as they are browsing with Chrome and have their phone nearby. Alternative browsers like Microsoft's Edge or Apple's Safari are not supported. The Verge notes that if you try using it in these browsers, you will be prompted to insert a key fob.
Google was not forthcoming on whether support was coming for other browsers.