Available in beta at the moment, the new feature is intended to provide an additional authentication factor and keep Google account users safe from phishing scams and other attacks that attempt to steal people’s login credentials. It can be used to protect your personal Google accounts, as well as Google Cloud Accounts at work.
There are a few basic requirements for using your smartphone as a FIDO2-based security key beyond running Android 7.0 or newer. For one thing, your phone will need to have both Bluetooth and location services enabled. Additionally, you will need to have a Bluetooth-enabled Chrome OS, macOS X or Windows 10 computer and use Google Chrome.
To turn on the new feature, you will need to add your Google account to your phone, ensure you’re enrolled in two-step verification/2SV (Google’s term for 2FA), click the ‘Add security key’ option in your 2SV settings and pick the relevant smartphone. Google also provides a detailed how-to guide for the setup process.
The extra factor
Two-factor authentication is a highly valuable way to add an extra layer of security to online accounts on top of your password – and with minimal fuss at that. The bottom line is that even if a cybercriminal steals your password they will still not be able to access your account unless they also possess the second factor.
There are several 2FA methods, but hardware-based solutions are generally seen as superior in terms of security to other methods, especially compared to the most common one that relies on text messages. (Make no mistake, however, even SMS-based 2FA is still far better than nothing.
Google launched its own hardware security key last year and revealed that security tokens had essentially done away with the problem of phishing attacks against its employees. Having said that, chances are you may not want to spend anywhere between US$20-60 on a security key, be it Google’s own or one made by firms such as Yubico and Feitian Technology. Which is where your Android smartphone may come into play.