Google has now announced the beta launch of a feature that can turn almost any Android device into a FIDO security key to help keep account logins safe. That will work with any Android smartphone running Android 7.0 where the log-in credentials are shared between the phone and computer. As long as a user's mobile device meets that criteria, logins can be kept safe without spending extra money on a USB-based hardware key.
The method also doesn't require users to directly connect the phone in question to a computer for the method to work, bypassing one of the common complaints about traditional security keys. Instead of needing to carry around an extra cable — analogous, Google says, to carrying around a dedicated USB key — the method works over Bluetooth. That maintains the localized verification of a hardware key while removing the inconvenience.
How does this work?
A step up from the more commonly used 2FA (two-factor authentication) — most often used in the form of text-based codes that are input as a secondary measure to a sign-in — the newly introduced 2FV (two-factor verification) method is as much about convenience as improved security. Not only is the method harder to crack remotely. It also only requires a short setup process and a quick press of a hardware button to authenticate.
To get started, users need to ensure that they are signed into a Google account on their device and that the account is the same as the one they want to sign into on their Chrome OS, Windows 10, or macOS X computer. Chrome version 72 or newer is required as well.
Once that's verified, navigating to the account settings in Chrome — at myaccount.google.com — and then clicking on "Security" on the left-hand side of the page will reveal a subheading for "Signing in to Google" with a "2-Step Verification" option. That option leads to a completely separate page, at the bottom of which is a "Security Key" box with a button to set up a new security key. If the Android device is nearby with Bluetooth turned on and signed into the same Google Account, clicking that will bring up the option to use that device as a security key.
It bears pointing out that a second security key should be set up in case the user loses their smartphone if 2FV is used, to avoid problems signing in if that happens.
After the security key is set up, users need to have their phone nearby with Bluetooth active when logging in as verification will be sent to that device after their password is input. To verify that the user is who they say they are, they'll need to perform a long-press of their volume down hardware key.
Driving security even further
The addition of 2FV via an Android smartphone as a hardware key is likely just one of many incoming changes for Google security, following the FIDO2 certification of all Android handsets running Android 7.0 Nougat back in February. That could also eventually lead to an end for password-based log-in altogether using the world's most popular mobile OS.
For the time being, the search says it's focused on ensuring that the authentication method works well with Google accounts. According to widespread reports on the matter, following this beta, the company will also shift to allowing third-parties to utilize 2FV sign-ins with an Android handset acting as the security key. That's not necessarily going to be fast to roll out since the feature is still in beta but it is said to be in the company's plans.