Now, use your phone as Google security key: Here's how
Given the growing risk of phishing attempts, leaks, and breaches, Google is upgrading two-factor authentication for its services/apps. The tech giant has introduced a way of using your own Android device as a physical security key, which is the strongest solution to verify a login attempt but had to be purchased separately. Here's how you can use it.
Need for security keys
For years, Google has been verifying logins with techniques like SMS codes, Google Authenticator codes, and Prompts enabling communication between two devices over the internet. But, the thing is, all these methods are easier to circumvent, except a physical security key protected with FIDO security standard. It can detect if you're logging in on the right page and prevent you from critical phishing attacks.
Now, Google is turning Android into security keys
Physical keys had to purchased and carried around but Google is offering an alternative in the form of phones running Android 7.0 or newer. These devices, when configured, can be used as a security key to verify login into any Google service. It works on the same FIDO and WebAuthn authentication protocols to offer protection and check if you are on the right page.
Google recommends this feature for journalists and activists
In a blog post announcing the feature, Google said it recommends the new authentication capability to "journalists, activists, business leaders and political campaign teams who are most at risk of targeted online attacks."
Still, the use is pretty limited at present
Google's new option enhances security but comes with some caveats. First, the authentication feature can only work when you sign into Gmail, G Suite, Google Cloud, and other Google account services using Chrome browser. And secondly, the whole process relies on Bluetooth, which means the machine on which you're trying to log-in should have Bluetooth and your Android phone should be in close proximity.
Setting up your Android as physical security key
Now, if you're ready to use your Android device as a security key, head over to myaccount.google.com/security in Chrome and sign in with the account that is logged in on your phone. After this, click on 'Two-step verification', select 'Add security key' and choose the phone you want to use as key. Once that's done, future unrecognized logins will be verified through this phone.
How the verification process would work
With the setup complete, any future login would be verified with your phone - via Bluetooth. Simply put, when you log in on a new device, Google will inform about the attempt on your phone and seek approval for the login. Then, you'd be able to securely approve it by hitting the 'Yes' button or pressing the volume down button from a Pixel 3.
Also, keep secondary authentication method ready
As the new method only works with Chrome, it is recommended to have a secondary authentication method to get a login approved in case you're signing-in from another browser or have lost your phone.
