When it comes to personal internet security, everyone knows that two-factor authentication is vital to keeping you safe. The challenge is that in order to get a two-factor authentication code, you typically need a text message or an authenticator app. These certainly make it easier, but they aren’t always hacker-proof. And all of us are living in a time when we need to be extremely careful about our data and do whatever we can to ensure that it’s kept safe. That’s why I am happy to see that Google will allow you to use any Android 7+ phone as an actual physical security key. That’s right, instead of having to pull your phone out and then open an app, you simply pull your phone out.
More specifically, all you have to do is connect your phone over Bluetooth to a Chrome browser and then verify your login information. This process works similar to Google’s Titan Security Key, and includes the same WebAuthn and FIDO APIs. If you’re a Pixel 3 user, you will be able to hold down the volume button during the authentication process. If you’re using another Android device, you’ll have to use an on-screen button.
So why is this so much better than an app? The big difference is that a physical security key, is less vulnerable to spoofing. If you’re not familiar with spoofing, it’s a practice where people can impersonate your account in order to gain access to your information. Because your phone would have to be in close, physical proximity, it makes it much more difficult for hackers to find your second-factor information, and use it to gain access to your devices and accounts.
If you have an Android phone, and you want to set it up as a security key, it’s relatively simple:
First, you have to make sure your phone is running Android 7 or newer. You’ll also have to make sure your computer has Bluetooth (which shouldn’t be an issue for most laptops), has the latest version of the Chrome browser, and the most up-to-date version of whatever operating system you have installed on it. Then, you can sign onto your Google Account on your phone and make sure Bluetooth is turned on. After that, you can visit myaccount.google.com/security on your computer to turn on 2-Step Verification (Google’s term for 2FA), scroll down to “Add Security Key”, select “Your Android Phone”, and pick your phone from the list of available devices.
As of right now, the service is limited to Google accounts as well as other services like Google Cloud. When this service will be expanded to third parties is unknown at this time, but this is at least a start.
But who needs this level of security? Some might argue anyone, but Google believes that there are a specific group of people who might be at risk for an online attack including journalists, activists, business leaders and anyone on a political campaign team. I think given the kind of leaks we are seeing in the media these days, it wouldn’t hurt for these groups to set up this level of authentication. That said, anyone could benefit from this kind of security in my opinion.