Google just announced a new security feature that allows users of Android 7 and later to use their smartphones to authenticate themselves to their Google accounts.
The surprise announcement was buried inside a pile of enterprise-oriented enhancements revealed at Google Cloud Next 2019 in San Francisco on Wednesday.
Released in beta, the feature is designed to protect Google users from phishing attacks. Once enabled, the user logs into their Google account using their username and password as normal before authenticating that their enrolled smartphone is present by clicking on a message that appears on the screen.
It’s identical in principle to using a FIDO USB token such as the YubiKey (or Google’s Titan key equivalent launched last year), except that the smartphone itself becomes the token.
This defeats phishing in the same way a token does because even if attackers get hold of someone’s Google username and password they can’t access the account without also having the smartphone.
Requirements
To use your Android phone (tablets don’t appear to be supported yet) as a security key, you must have a phone running Android version 7.x or later, and you need to turn on Bluetooth.
Your computer must also have Bluetooth, and be running the latest version of the Chrome browser, on a Chrome OS, macOS X or Windows computer.
How to turn it on
From Google’s support blog:
Step 1: Add the security key to your Google Account
- Turn on 2-Step Verification and add a verification method like Google Prompt.
- If you already use 2-Step Verification, you can move on.
- On your Android phone, go to myaccount.google.com/security.
- Under “Signing in to Google,” select 2-Step Verification. You might need to sign in.
- Scroll down to “Set up an alternative second step.”
- Select Add Security Key
Your Android phone
Step 2: Use your Android phone’s built-in security key
- On your computer, make sure Bluetooth is turned on in your settings or preferences.
- On your computer, sign in to your Google Account with your username and password.
- Check your Android phone for a notification.
- On your Android phone, double-tap the “Are you trying to sign in?” notification.
How does it work?
Google’s blog on the topic is light on technical detail but we can confidently assume this is the predicted marrying of FIDO2 protocols recently added to Android, and the wider WebAuthn authentication standard.
To simplify, browsers supporting WebAuthn communicate securely with the server, in this case, Google’s, verifying their authenticity. The FIDO2 protocol, meanwhile, handles the part where the computer and smartphone communicate to verify that the user has the smartphone present.
The latter works using FIDO2’s Client to Authenticator Protocol (CTAP), which performs the authentication with the smartphone via Bluetooth.
One report from the event also mentions something called “cloud-assisted Bluetooth Low Energy (caBLE)”. It’s not clear what this is although it could be Google’s next addition to the FIDO2 standard that adds additional security checks.
What happens if you lose or don’t have your smartphone? In that case, you’ll either need to have enabled the Authenticator app as a fallback or have a security key (the YubiKey or Titan), or have made a note of the backup security codes Google lets you download and print.
ChucktheCanuk
Please let us know when tablets are supported!
Although my combination of Amazon Fire and Vivaldi browser (Win10 and Linux) may not be one of the combinations supported.
Matthew Parkes
i presume there is some kind of mechanism that doesn’t allow the use of the phone being used as the key to be the device being used to access the service requiring the key? If a crook stole your phone, got past a biometric or passcode on the device or worse still there was none and then used the chrome app to go to gmail, had the right username and password then surely this would be game over, the same idea as why SMS as MFA isn’t a good idea.
John E Dunn
The scenario you mention sounds extreme – you lose the phone, fail to use a secure PIN, and somehow the crook gets hold of you username and password.
This is about making raising the bar for phishing attacks.
Francois
So, if I get this right, you have to be on a computer that has Bluetooth for this to work? I don’t see how well this is going to be working for everyone. I’m not sure how this is better than Google authenticator.
Dan
@Matthew Parkes: SMS as MFA is better than 1FA, but not great. Criminals regularly call up phone companies, pretend to be you (well, their victim), and tell the phone company that they (really you) got a new phone or new SIM card. They then get your text messages and can use them in 2FA and get into your stuff. This is common, and there is currently no good way to stop it.
Paul Ducklin
SIM swaps aren’t *that* common, are very hard to automate, can be defended against (in some countries mobile phone companies let you lock down your account to make changes harder), and can be detected (your phone goes dead).
So SMS for 2FA is much better than nothing. The US public service advises against it for government security but if you don’t want to run a 2FA app or carry a security token it does raise the bar…
Faz
Why on earth do they need Bluetooth activated? Does it not gracefully fall back to “manually enter the code from your smartphone to complete logjn”?!
Paul Ducklin
The protocol isn’t as simple as “re-type this 6-digit code” – there’s a cryptographic dance in there that needs to trade more data each way that could be typed in. In standalone authenticator tokens like YubiKey, USB or NFC is used; here, it’s Bluetooth.