Your Android phone is now a physical 2FA security key for Google services

  • Liam Tung (CSO Online)
  • 11 April, 2019 06:27

Google has now made Android a critical piece in protecting Gmail users from phishing attackers. The company announced on Wednesday that Android 7 Nougat devices can now act as a physical security key by connecting to a PC via Bluetooth.  

Instead of requiring a physical security key, such as its own Titan keys or a Yubico Yubikey, any phone running Android 7 or higher can stand in place of that physical key as the second factor. 

Currently in beta, anyone with an phone running Nougat and above can use the device as their security key for signing into a Google Account, G Suite accounts at work, and Google's Advanced Protection Program for high-value targets of state-sponsored hackers, such as activists, journalists, and political campaign teams. 

Google is pitching it to its G Suite business customers as a way to speed up adoption of 2FA or two-factor authentication, which requires that a person who is logging into an account knows the account’s credentials and physically possesses something unique, such as a security key, and now an Android phone. 

“This can make it faster for you to implement 2-Step Verification in your organization while keeping user training and overall costs to a minimum,” Google notes on its G Suite updates blog. 

Before today’s announcement the optimal way to protect users against password phishing was to use a security key, which typically is required to be plugged into a computer’s USB port. 

Google’s Titan keys also support Bluetooth for 2FA using the FIDO authentication standard, but Yubico has resisted Bluetooth due to its security concerns and prefers NFC.   

Google has published a new support page detailing how to add an Android phone as a security key for a Google Account. Users need an Android 7.0+ phone and a Bluetooth-enabled Chrome OS, macOS or Windows 10 computer with a Chrome browser.

Google’s Android move for Google Accounts comes as all major browsers, including Google Chrome, are rallying behind WebAuthn, a recently approved W3C standard that is seen as the successor to FIDO U2F or universal 2 factor authentication. 

Websites can implement WebAuthn to allow their users to sign in using biometrics from a phone or Windows 10 device, as well as use security keys. The system relies on an end-user device’s “authenticator”, such as a fingerprint reader, or, say, Windows Hello, to sign in, making it more difficult for phishers to access an account even when they have standard credentials.    

Firefox maker Mozilla however has hit a stumbling block in its plans to support WebAuthn. Firefox has only partially supported FIDO U2F, which is supported by Google Chrome and Google Accounts. 

Mozilla has decided to now support FIDO U2F in Firefox Nightly 68 and Firefox Beta 67 essentially because millions of older Android devices can’t be updated to fully support WebAuthn

For this reason, WebAuthn support on Google Accounts is being withheld by Google since it doesn’t want to lock out Android users from Gmail accounts if they’ve enabled 2FA. 

However, that’s forced Mozilla to add backward-compatibility for FIDO U2F in Firefox to cater to the Google users who’ve enabled 2FA with security keys — even though Mozilla believes supporting a legacy authentication standard sends the wrong signal to the industry at a time when it has been promoting WebAuthn as the best way to combat phishing.