On Monday, Google pushed out an update for the iOS version of Smart Lock, its built-in, on-by-default password manager.
Smart Lock – which has been available for Google’s Chrome browser since 2017 – now also lets iOS users set up their device as the second factor in two-factor authentication (2FA), meaning that you no longer have to carry around a separate security key dongle.
Smart Lock for iOS uses the iPhone’s Secure Enclave Processor (SEP), which is built into every iOS device with Touch ID or Face ID. That’s the processor that handles data encryption on the device – a processor that oh, so many law enforcement and hacker types spend so much time complaining about… or, as the case may be, cracking for fun, fame and profit.
After you set it up, you’ll just need your iPhone or iPad, and your usual password, to use in 2FA when you sign in to Google on a desktop using Chrome.
A big plus: it uses a Bluetooth connection, rather than sending a code via SMS that could be intercepted in a SIM swap attack. In a SIM-swap fraud attack, a hijacker gets their hands on a phone number – typically by sweet-talking/social-engineering it away from its rightful owner – after which they can intercept the codes sent for 2FA that the phone number’s rightful owner set up to protect their accounts.
SIM swap fraud is one of the simplest, and therefore the most popular, ways for crooks to skirt the protection of 2FA, according to a warning that the FBI sent to US companies in October 2019.
Given that Apple introduced SEP – which stores encrypted security keys on an iOS device – with the iPhone 5S, it won’t work on earlier models. You’ll need to be running iOS 10 or later to run the Smart Lock app.
How to use your iPhone for 2FA when signing into Google
Here’s how to get started with Smart Lock for iOS:
- Download the free Google Smart Lock app from the iTunes App Store.
- Follow the setup steps that ask for Bluetooth access.
- Log into your Google account and confirm that you want to use your iPhone for verification.
After that, whenever you want to log in to your Google account, you’ll need to enter your password. Then you’ll need to confirm – in a popup on your iPhone – that yes, it’s really you trying to sign in.