IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Google turns Android phones into 2FA keys for iOS login

FIDO keys touted as the most secure protection against hackers and phishing campaigns

Two-factor authentication

Users accessing their Google account using an iOS device can now use a separate Android device as a security token, Google has announced.

Google had previously rolled out this feature for G Suite, Cloud Identity and Google Cloud Platform (GCP) customers, as well as personal Google account holders. The physical token, however, could only work to access these services on devices running Chrome OS, macOS X or Windows 10 with a Chrome browser.

The company has now devised a process to port this service to work with iOS devices, launching immediately, and with Android phones available as an option for security keys by default across organisations with 2FA enabled.

"FIDO security keys provide the strongest protection against automated bots, bulk phishing, and targeted attacks by leveraging public key cryptography to verify your identity and URL of the login page," said Google's Kaiyu Yan, a software engineer, and Christiaan Brand, product manager for identity and security, in a blog post.

"An attacker can't access your account even if you are tricked into providing your username and password. Until now, there were limited options for using FIDO2 security keys on iOS devices. Now, you can get the strongest 2SV method with the convenience of an Android phone that's always in your pocket at no additional cost."

The mechanism to communicate between devices works differently than it does for Windows 10, which uses a Chrome browser as the intermediary. When users are prompted to confirm on iOS, the Android phone fob links up with Google's Smart Lock app instead.

When logging in to Google services on an iPhone or iPad, the app will communicate with the Android device via Bluetooth so users can then confirm their identity. Confirmation is then sent back the other way and they are able to log in.

However, Google's own Titan key authenticator, something which it once claimed was the "strongest, most phishing resistant method of two-step verification (2SV) on the market today", was found last month to contain a flaw that exploited misconfigured Bluetooth pairing. Although the company dismissed the flaw as being too difficult to replicate, requiring hackers to be within 30 feet of a target, the news still prompted a recall of the devices.

Google's latest move feeds into a wider aim of raising multi-factor authentication (MFA) usage and phasing out reliance on just passwords to authenticate user identities. Microsoft, meanwhile, has strived to eliminate passwords altogether in favour of biometric alternatives like facial recognition and fingerprint scanning.

Even in the realm of 2FA, however, security is not guaranteed. A researcher in January, for instance, released a tool that can bypass a slate of popular text or code-based 2FA schemes used on platforms such as Gmail and Yahoo.

Featured Resources

Big data for finance

How to leverage big data analytics and AI in the finance sector

Free Download

Ten critical factors for cloud analytics success

Cloud-native, intelligent, and automated data management strategies to accelerate time to value and ROI

Free Download

Remove barriers and reconnect with your customers

The $260 billion dollar friction problem businesses don't know they have

Free Download

The future of work is already here. Now’s the time to secure it.

Robust security to protect and enable your business

Free Download

Recommended

Education and government most at risk from email threats
phishing

Education and government most at risk from email threats

26 Nov 2021
Attackers use CSS to fool anti-phishing systems
phishing

Attackers use CSS to fool anti-phishing systems

11 Nov 2021

Most Popular

How to secure your hybrid workforce
Advertisement Feature

How to secure your hybrid workforce

23 Sep 2022
The human brain is far more complex than AI researchers imagine
artificial intelligence (AI)

The human brain is far more complex than AI researchers imagine

17 Sep 2022
The cryptocurrency implosion shows we’re heading for the end
cryptocurrencies

The cryptocurrency implosion shows we’re heading for the end

29 Sep 2022