And it doesn’t require much more than downloading a dedicated app.
Last year, Google made it possible for most Android users to use their phone as a physical security key for their Google accounts. Fast forward a few months and most iPhone users receive the same option.
According to Google’s blog post yesterday, the feature was introduced with an update to the Google Smart Lock app on iOS and is available to all iPhone owners running iOS 10 or newer. The new functionality essentially turns the devices into FIDO2-compliant security keys, allowing authentication into Google accounts on Windows 10, macOS, iOS and Chrome OS devices. It leverages the Secure Enclave, the hardware component of modern Apple devices that protects people’s most sensitive data.
The move has to do with Google’s streamlining of the enrollment process for its Advanced Protection Program (APP), which provides extra protection against phishing and other attacks that prey on login credentials. The program, which once required people to use dedicated hardware security keys, is mainly aimed at high-risk users.
Importantly, however, you needn’t be a business leader, journalist or politician to harden your Google account security. Anyone who uses a newer iPhone (iOS 10 or higher) or Android (7.0 Nougat or higher) and wishes to prevent successful account-hijacking attacks can enroll in the program and avail themselves of the security enhancement.
RELATED READING: 2FA: Double down on your security
Indeed, if you own an iPhone, using a solid 2FA method to secure your Google account has never been easier. On top of being more secure than SMS-based two-factor authentication (2FA), the new option is also more convenient than carrying around a separate security token, such as Google‘s own Titan Security Key. Also, you would previously need to buy one of the dedicated security keys in the first place.
This is not to say that you should rush to ditch your security token once you switch to the more convenient option. One potential issue is the loss or theft of your phone, which Google says is best addressed by having a backup security key at the ready.
How to get started
Most of all, you’ll need to enable the new 2FA option in your Google account settings and download the Google Smart Lock app. The subsequent setup process is quite quick and self-explanatory but, if needed, Google’s step-by-step guide is there to help.
To verify sign-ins, you will need to turn on Bluetooth on both your phone and computer, as well as allow the app to send push notifications, which will act as the second authentication factor. Your phone will also need to be relatively close to your computer, leaving a typical phisher who has no access to your unlocked phone out of luck.
Speaking of phishing, Google has more than once spoken highly of the capabilities of hardware-based 2FA. “Zero users that exclusively use security keys fell victim to targeted phishing during our investigation,” the tech giant said about the results of a study last year.
The same functionality, for all intents and purposes, is now available on all newer iPhones and Android devices.
written by Tomas Foltyn, ESET We Live Security