Back in April during its Cloud Next 2019 developer conference, Google rolled out a feature that allows Android phones running Android 7.0 Nougat and up to act as Fast Identity Online (FIDO) security keys, enabling them to protect G Suite, Cloud Identity, and Google Cloud Platform accounts across Bluetooth-enabled Chrome OS, macOS, and Windows 10 devices. Google says that in the first month since launch, more than 100,000 people began using their phones as a security key, and that number is likely to climb in light of this week’s news: Today, security keys on Android phones can verify sign-ins on Apple iPads and iPhones.
“Compromised credentials are one of the most common causes of security breaches,” wrote Google software engineer Kaiyu Yan and product manager of identity and security Christiaan Brand in a blog post. “While Google automatically blocks the majority of unauthorized sign-in attempts, adding two-step verification (2SV) considerably improves account security … [and now,] you can use your Android phone to verify your sign-in on Apple iPads and iPhones.”
For the uninitiated, FIDO is a standard certified by the nonprofit FIDO Alliance that supports public key cryptography and multifactor authentication — specifically, the Universal Authentication Framework (UAF) and Universal Second Factor (U2F) protocols. When you register a FIDO device with an online service, it creates a pair of keys: (1) an on-device and offline private key and (2) an online public key. During authentication, the device “proves possession” of the private key by prompting you to enter a PIN code or password, supply a fingerprint, or speak into a microphone.
Boiled down to basics, FIDO supports two-factor authentication, which confirms identities through a mix of passwords, security keys, and biometrics. That’s as opposed to 2SV, which authenticates people using only passwords and codes sent via text message or email.
Since 2014, Yubico, Google, NXP, and others have collaborated to develop the Alliance’s standards and protocols, including the new Worldwide Web Consortium’s Web Authentication API. (WebAuthn shipped in Chrome 67 and Firefox 60 last year.) Among the services that support them are Dropbox, Facebook, GitHub, Salesforce, Stripe, and Twitter.
On Chrome OS, macOS, and Windows 10 devices, Google’s solution uses the FIDO protocol between a computer and phone (CTAP API) and requires the browser to indicate to the phone which website is currently onscreen. (On iOS devices, Google’s Smart Lock app stands in for the browser.) Google further built a local proximity protocol on top of Bluetooth — cloud-assisted Bluetooth Low Energy (caBLE) — that doesn’t require pairing, installing an app, or plugging anything into a USB port. It’s been submitted to FIDO and remains under review, relegating it to strictly to Google accounts for now.
If you’re looking to take advantage of the newfound security key on Android functionality, install the Smart Lock app on your iPhone or iPad running iOS version 10.0 or up and follow these steps to get started:
- Add your personal or work Google Account to your Android 7.0+ (Nougat) phone.
- Make sure you’re enrolled in 2-Step Verification (2SV).
- On your computer, visit the 2SV settings and click “Add security key”.
- Choose your Android phone from the list of available devices.
Once you’ve done all that, make sure Bluetooth is enabled on all devices and switch over to your iPhone or iPad. Sign into your Google Account with your username and password using Smart Lock, and check your Android phone for a notification before following the instructions to confirm it’s you signing in.
Google notes that within enterprise organizations, admins can require the use of security keys for users in G Suite and Google Cloud Platform, letting them choose between using a physical security key, an Android phone, or both.