Now you can use your Android phone as a physical two-factor authentication key

David Matthews

Posts: 437   +88
Staff member
What just happened? Google is allowing Android devices to be used as physical authentication keys. This will drastically improve the security when logging into Google applications and prevent phishing attacks. It also means that users don't have to buy a third-party physical token.

Good news for the security conscious among us. Google announced that any phone running Android 7.0 Nougat or higher can be used as a physical two-factor authentication (2FA) key. Before, physical authentication keys were limited to dongles like Yubikey or Google's own Titan Security Key. Note that this only works when logging into Google apps in Chrome browsers on Windows 10, macOS, and ChromeOS. Your computer must also support Bluetooth.

The process is pretty straightforward. Sign in to your Google account on your Android phone and make sure Bluetooth is enabled. Enroll in 2FA under your Google account if you aren't already and click "Add security key." Choose your Android device as the security key and the process is complete.

In order to authenticate, Google uses a mixture of FIDO protocols and WebAuthn to ensure you aren't being subject to a phishing attack. For Pixel 3 owners, Google stores the FIDO credentials in the Titan M chip. As long as your phone is within Bluetooth range of your computer, it should authenticate. It's a mixture of what you have (phone), what you know (password), and cryptography (FIDO).

As a person with a background in networking and cybersecurity, I would strongly urge Android users to consider this new 2FA method if you're not already using something already. Many websites use SMS for 2FA, however that's shown to have major weaknesses. Facebook also allows users to be looked up via their 2FA phone number. While using software tokens like Authy or Google Authenticator is much safer, physical security keys are the safest.

Permalink to story.

 
Certainly could use more information on this one!
Agreed. It's like the introduction to an article. What is the article about?
If it's only for Google Apps in Chrome browsers with Windows 10 and bluetooth ... then that's extremely limited and hardly something to be praising. I can't think of a single app that it would cover that I use.
 
Certainly could use more information on this one!
Agreed. It's like the introduction to an article. What is the article about?
If it's only for Google Apps in Chrome browsers with Windows 10 and bluetooth ... then that's extremely limited and hardly something to be praising. I can't think of a single app that it would cover that I use.
This!

On the face of it, it sounds like a good idea, however, it would not at all surprise me if there was something behind this like gagme trying to force people into using their "stuff" so that they can mine it or something like that.
 
Why dont the article editors/writers interact with the who is making this comments? I dont understand this on TechSpot...
 
Back