What just happened? Google is allowing Android devices to be used as physical authentication keys. This will drastically improve the security when logging into Google applications and prevent phishing attacks. It also means that users don't have to buy a third-party physical token.

Good news for the security conscious among us. Google announced that any phone running Android 7.0 Nougat or higher can be used as a physical two-factor authentication (2FA) key. Before, physical authentication keys were limited to dongles like Yubikey or Google's own Titan Security Key. Note that this only works when logging into Google apps in Chrome browsers on Windows 10, macOS, and ChromeOS. Your computer must also support Bluetooth.

The process is pretty straightforward. Sign in to your Google account on your Android phone and make sure Bluetooth is enabled. Enroll in 2FA under your Google account if you aren't already and click "Add security key." Choose your Android device as the security key and the process is complete.

In order to authenticate, Google uses a mixture of FIDO protocols and WebAuthn to ensure you aren't being subject to a phishing attack. For Pixel 3 owners, Google stores the FIDO credentials in the Titan M chip. As long as your phone is within Bluetooth range of your computer, it should authenticate. It's a mixture of what you have (phone), what you know (password), and cryptography (FIDO).

As a person with a background in networking and cybersecurity, I would strongly urge Android users to consider this new 2FA method if you're not already using something already. Many websites use SMS for 2FA, however that's shown to have major weaknesses. Facebook also allows users to be looked up via their 2FA phone number. While using software tokens like Authy or Google Authenticator is much safer, physical security keys are the safest.