Google turns Android phones into 2FA keys for iOS login

Users accessing their Google account using an iOS device can now use a separate Android device as a security token, Google has announced.

Google had previously rolled out this feature for G Suite, Cloud Identity and Google Cloud Platform (GCP) customers, as well as personal Google account holders. The physical token, however, could only work to access these services on devices running Chrome OS, macOS X or Windows 10 with a Chrome browser.

The company has now devised a process to port this service to work with iOS devices, launching immediately, and with Android phones available as an option for security keys by default across organisations with 2FA enabled.

"FIDO security keys provide the strongest protection against automated bots, bulk phishing, and targeted attacks by leveraging public key cryptography to verify your identity and URL of the login page," said Google's Kaiyu Yan, a software engineer, and Christiaan Brand, product manager for identity and security, in a blog post.

"An attacker can't access your account even if you are tricked into providing your username and password. Until now, there were limited options for using FIDO2 security keys on iOS devices. Now, you can get the strongest 2SV method with the convenience of an Android phone that's always in your pocket at no additional cost."

The mechanism to communicate between devices works differently than it does for Windows 10, which uses a Chrome browser as the intermediary. When users are prompted to confirm on iOS, the Android phone fob links up with Google's Smart Lock app instead.

When logging in to Google services on an iPhone or iPad, the app will communicate with the Android device via Bluetooth so users can then confirm their identity. Confirmation is then sent back the other way and they are able to log in.

However, Google's own Titan key authenticator, something which it once claimed was the "strongest, most phishing resistant method of two-step verification (2SV) on the market today", was found last month to contain a flaw that exploited misconfigured Bluetooth pairing. Although the company dismissed the flaw as being too difficult to replicate, requiring hackers to be within 30 feet of a target, the news still prompted a recall of the devices.

Google's latest move feeds into a wider aim of raising multi-factor authentication (MFA) usage and phasing out reliance on just passwords to authenticate user identities. Microsoft, meanwhile, has strived to eliminate passwords altogether in favour of biometric alternatives like facial recognition and fingerprint scanning.

Even in the realm of 2FA, however, security is not guaranteed. A researcher in January, for instance, released a tool that can bypass a slate of popular text or code-based 2FA schemes used on platforms such as Gmail and Yahoo.