Google will now allow anyone with an iPhone (iOS 10+) to use their mobile device as a security key for authenticating themselves when logging into their Google Account. This brings iPhones in line with Android phones, which have harbored built-in security keys since last April.
While this new functionality is available to any iPhone user as a two-factor authentication (2FA) mechanism, today’s launch also has ramifications for Google’s Advanced Protection Program, which is designed to protect accounts most at risk of being hacked — such as those belonging to political campaign teams. The upcoming U.S. Presidential election faces threats on multiple fronts, a situation that has spurred all the big tech companies to rejig their platforms to avoid abuses.
Google first announced its Advanced Protection Program back in October 2017 as a way for individuals — including journalists, political campaigners, and activists — to protect their Google accounts from hacks. The program focuses on three key security mechanisms: It provides phishing protection by requiring a physical security key to access a Google account via two-factor authentication (2FA), limits access to Gmail and Google Drive to other apps from Google and select third parties, and requires extra verification steps when an account recovery process is initiated.
The Advanced Protection Program has also catered somewhat to the Apple ecosystem, with Google introducing support for Apple’s Calendar, Contacts, and Mail app in 2018. This effectively allows iPhone and iPad users to securely synchronize their Google Calendar events with Apple Calendar, or forward messages from Gmail to Apple Mail, for example.
In April of last year, Google announced an update that would allow any Android device (7.0+) to double as a Fast Identity Online (FIDO) security key. This was open to all Google Account users, enabling them to authenticate themselves using their Android phone via Bluetooth on Chrome OS, macOS, and Windows 10 devices. Shortly after, Google extended support to iOS, meaning Android devices could now be used to authenticate Google Accounts on iPhone or iPad.
The crux of today’s news is that iPhones themselves can also now be used as a security key by any Google Account user, including those who are registered on the Advanced Protection Program. The one notable difference, however, is that while the security key functionality is built directly into Android devices, those on iPhone will have to activate the security key using Google’s Smart Lock app for iOS.
It uses the Secure Enclave as a security key, it's pretty cool.
— Filippo Valsorda (@FiloSottile) January 14, 2020
The fact that iPhones can now authenticate Google Accounts via Bluetooth on Chrome OS, iOS, macOS, and Windows 10 devices makes it just that little bit easier for any high-profile targets, such as politicians and their campaigners, to secure their Google Accounts from nefarious actors. Even if a phishing attempt successfully procures someone’s username and password, the information will be useless if the Google Account requires authentication with a physical iPhone.
It’s worth noting that while iPhone users were already able to participate in the Advanced Protection Program, they would have needed to buy a physical security key — which not only creates extra friction but could prove costly if a campaign team has hundreds of staffers.