Android’s Security Key Now Works with iOS Devices

Starting this week, Android phones can be used to verify sign-ins on Apple iPads and iPhones, Google announced. 

The capability is enabled by the recently introduced 2-Step Verification (2SV) method that allows users to protect accounts with a security key built into their Android phones. 

Previously, the technology could be used to verify sign-ins to Google and Google Cloud services on Bluetooth-enabled devices running Chrome OS, macOS, and Windows 10, and can now be used to verify sign-ins on Apple iPads and iPhones as well.

Google’s solution relies on FIDO security keys, which provide strong protection against automated bots, bulk phishing, and targeted attacks. The technology relies on public key cryptography to verify the user’s identity and URL of the login page, meaning that the attackers are denied access to the account even if they have the username and password at hand. 

While leveraging the Chrome browser on Chrome OS, macOS, and Windows 10 devices to communicate with Android phone’s built-in security key over Bluetooth using FIDO’s CTAP2 protocol, Google’s solution relies on the Smart Lock app for that on iOS devices. 

“Until now, there were limited options for using FIDO2 security keys on iOS devices. Now, you can get the strongest 2SV method with the convenience of an Android phone that’s always in your pocket at no additional cost,” the Internet search giant notes

To get started, users first need to add the security key to their Google Account. For that, they should set up a personal or work Google Account on a phone running Android 7 or newer platform version, enroll in 2-Step Verification (2SV), visit the 2SV settings on a computer and select "Add security key", and then select the Android phone from the list of available devices.

To start using the Android phone’s built-in security key with an iPhone or iPad (iOS version 10.0 or up), Bluetooth needs to be enabled on both devices. Users then need to sign in to their Google Account with a username and password using the Google Smart Lock app, check the Android phone for a notification, and then follow the instructions to confirm the sign in.

“Within enterprise organizations, admins can require the use of security keys for their users in G Suite and Google Cloud Platform (GCP), letting them choose between using a physical security key, an Android phone, or both,” the Internet company explains. 

Google recommends the registration of a backup hardware security key (from Google or a number of other vendors) for any account, as well as to keep it in a safe place, to ensure that access to the account is possible even if the Android phone is lost.

The search giant has also published detailed instructions on how one can use the Android phone’s built-in security key. 

Related: Google Unveils New Encryption Features for Android Developers

Related: Support for FIDO2 Passwordless Authentication Added to Android

view counter

Original author: Ionut Arghire