Android phones become Google's most secure form of MFA

Desktop monitor and mobile phone with hand pointing

Google Cloud has revealed that Android devices can now be used as a Titan authentication key in what's seen as a major push to protect user accounts from online scams.

Working much like Google’s Titan key, which is built in accordance with FIDO standards, your phone can now act as the most secure version of multi-factor authentication (MFA) yet.

Other MFA methods, such as confirmation texts and mobile apps, have come under scrutiny as they can still be exploited by phishers who can trick users into helping them access their accounts.

The key is able to keep a log of phishing websites that Google is aware of and, if you visit one, the security key built into your Android phone will block you from handing over login credentials to phishers.

Google calls the new security standard ‘phone-as-a-security-key’ (PaaSK); the phone connects to your device via the Google-built standard, which itself is built on top of Bluetooth to create a three-pronged layer of protection.

The security also works through proximity, and so long as your phone is connected to your device, say a laptop, then the device will recognise you as both the user attempting to log in and the owner of the account’s corresponding security key. Instead of waiting for a text, a security screen will automatically appear on your phone requiring you to either hold down a volume button if using a Google phone or press an on-screen button for any other Android device.

The advantage of this is that although attackers can get you to hand over your phone number to access an SMS-based 2FA protection barrier, an attacker would find it much harder to get their hands on your phone and stay in close proximity to your computer.

Google has said that only Android devices running version 7.0 or later will support the new PaaSK platform at launch, but it can be used on all major computer operating systems including Windows, MacOSX, and Chrome OS.

“We’re focussed on Android first, but it’s not out of the realms of possibility that in the future there will be something for iOS, at least for Google accounts,” said Sam Srinivas, product management director at Google Cloud.

You’ll be able to associate as many Google accounts with the PaaSK as you wish but the user must be logged into the correct key on the phone first before making the login attempt on a browser.

Although Google says it blocks 99.9% of all fraudulent log-in attempts on its users’ accounts, there is still a 0.1% issue regarding cases of phishing, keylogging and data breaches - cases where the attacker has the correct password, making it difficult to differentiate between a genuine and fraudulent attempt.

Google chose to implement FIDO in its most recent push against phishing attacks because out of all the other MFA methods, namely SMS/voice, backup code and authenticator apps, FIDO has proved the only phishing-resistant method.

According to Google's own assessments, user accounts becomes 10x more vulnerable if credentials are used in a data breach, 40x more vulnerable when threatened by keylogging, and 500x more vulnerable if compromised by a phishing scam.


ITPro is a global business technology website providing the latest news, analysis, and business insight for IT decision-makers. Whether it's cyber security, cloud computing, IT infrastructure, or business strategy, we aim to equip leaders with the data they need to make informed IT investments.

For regular updates delivered to your inbox and social feeds, be sure to sign up to our daily newsletter and follow on us LinkedIn and Twitter.