Google Will Now Let You Use Your Android Phone as a Physical Security Key

By now you should know that two-factor authentication is a vital and necessary component of good security hygiene. That said, the most common ways of getting 2FA codes usually involve text messages or authenticator apps, which aren’t always hacker-proof. But today, Google announced at its Cloud Next conference that you can now use any Android 7+ phone as a legit physical security key.

Basically, all you have to do is connect your phone over Bluetooth to a Chrome browser and verify your logins. It works similarly to Google’s Titan Security Key, and includes the same WebAuthn and FIDO APIs. According to 9 to 5 Google, Pixel 3 users will be able to hold the volume down button during the authentication process. Meanwhile, other Android devices will use an on-screen button.

The advantage of a physical security key—like the Titan or now, Android phones—is that they’re less vulnerable to spoofing, a practice where bad actors impersonate your account to gain access to your data. Because your phone would have to be in close, physical proximity, it makes it much harder for hackers to phish your second-factor information

Setting up your Android phone as a security key is simple. First, you have to make sure your phone is running Android 7 or newer. You’ll also have to make sure your computer has Bluetooth (which shouldn’t be an issue for most laptops), has the latest version of the Chrome browser, and the most up-to-date version of whatever operating system you have installed on it. Then, you can sign onto your Google Account on your phone and make sure Bluetooth is turned on. After that, you can visit myaccount.google.com/security on your computer to turn on 2-Step Verification (Google’s term for 2FA), scroll down to “Add Security Key”, select “Your Android Phone”, and pick your phone from the list of available devices.

Right now, the service is limited to Google accounts, as well as other services like Google Cloud. Gizmodo reached out to Google to see when it might expand to third-party sites but we did not immediately receive a response.

Who should do this? Google recommends it for “journalists, activists, business leaders, and political campaign teams who are most at risk of targeted online attacks.” But everyone with a compatible Android phone who uses Google services should jump on this feature. It could be your gateway drug into the broader world of physical keys that protect you on a wide range of services.

[Google via TechCrunch, The Verge]