Slashdot Mirror

← Back to Stories (view on slashdot.org)

You Can Now Use Your Android Phone as a 2FA Security Key for Google Accounts (venturebeat.com)

Posted by msmash on from the better-security dept.

Google said today it will now enable Android users to use their smartphones as a Fast Identity Online (FIDO) security key (for two-step authentication) for their Google accounts, thereby addressing one of the biggest challenges that has slowed the adoption of this security measure: convenience. A report adds: You can thus use your Android phone to protect your personal Google account, and your G Suite, Cloud Identity, and Google Cloud Platform work accounts. (Android tablets aren't supported -- Google specifically limited the functionality since users are more likely to have phones with them.) This means Android phones can move from two-step verification (2SV) to two-factor authentication (2FA). 2SV is a method of confirming a user's identity using something they know (password) and a second thing they know (a code sent via text message). 2FA is a method of confirming a user's identity by using a combination of two different factors: something they know (password), something they have (security key), or something they are (fingerprint). The feature is coming only to Android devices versions 7 and up.

83 comments

  1. SPOT THE SOCIALISM by Anonymous Coward · · Score: -1

    Economic growth since 2009:
    - China: 139%
    - India: 96%
    - US: 34%
    - Europe: -2% (SOCIALISM)

    --
    The Daily Facts

    1. Re: SPOT THE SOCIALISM by Anonymous Coward · · Score: 0

      So you are saying communism is best?

    2. Re:SPOT THE SOCIALISM by b0s0z0ku · · Score: 1

      "Growth" and "consumption" were historical names for serious illnesses. Stability should be prioritized over growth, and Europe is doing that well.

    3. Re: SPOT THE SOCIALISM by Anonymous Coward · · Score: 0

      Chinese used to die of famine and poverty by the millions until they took the socialism out of communism. So yeah, their form of communism, which is a capitalist dictatorship, is better than any sort of socialism.

    4. Re:SPOT THE SOCIALISM by fluffernutter · · Score: 1

      All that matters is where people are happiest.

      --
      Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
    5. Re:SPOT THE SOCIALISM by Anonymous Coward · · Score: 0

      Fuck off Ivan! This is a tech site

  2. Move to 2FA by Drethon · · Score: 1

    I'm using Google Authenticator for some applications. Maybe I'm confused (like a lot of things) but how does this help me move to 2FA?

    1. Re:Move to 2FA by cayenne8 · · Score: 0
      Geez, why would anyone want to voluntarily GIVE google your phone number?

      I mean....i know they have tons on everyone, but I try not to voluntarily give them any info I don't have to, especially don't like to confirm my phone number to them.

      --
      Light travels faster than sound. This is why some people appear bright until you hear them speak.........
    2. Re:Move to 2FA by b0bby · · Score: 1

      This is different in that it's talking to your PC over Bluetooth, and you just hit a button on your phone rather than type in the code from Authenticator.

    3. Re:Move to 2FA by Drethon · · Score: 1

      Geez, why would anyone want to voluntarily GIVE google your phone number?

      I mean....i know they have tons on everyone, but I try not to voluntarily give them any info I don't have to, especially don't like to confirm my phone number to them.

      When the college servers require Google Authentication to be used to sign in, concessions are made to complete a degree with significant money already sunk in. Plus, it is an Android phone, I think Google had the ability to get the number if they wanted the second I registered it.

    4. Re:Move to 2FA by swillden · · Score: 3, Interesting

      Geez, why would anyone want to voluntarily GIVE google your phone number?

      This 2FA option does not require giving Google your phone number, unlike the much-weaker SMS-based 2SV option.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    5. Re:Move to 2FA by Anonymous Coward · · Score: 0

      Geez, why would anyone want to voluntarily GIVE google your phone number?

      I mean....i know they have tons on everyone, but I try not to voluntarily give them any info I don't have to, especially don't like to confirm my phone number to them.

      So in other words you have no clue what Google authenticator does? Hint: it has nothing to do with your phone number.

    6. Re:Move to 2FA by Anonymous Coward · · Score: 0

      This 2FA option requires an Android phone, so it's safe to assume that Google has your phone number simply from that.

    7. Re:Move to 2FA by Anonymous Coward · · Score: 0

      If you're that paranoid, you probably shouldn't have a Google account at all.

      Anyways, nobody is forcing people to use it, there's other options like FIDO available, although Google is really dragging its feet on getting it to work with other browsers.

    8. Re: Move to 2FA by Anonymous Coward · · Score: 0

      Not much use if the main thing you do with you Google account is Find my Device. I can't find my device because I have lost my device and can't do 2FA.

  3. Google, Google, everywhere by DogDude · · Score: 2

    At this point, Google knows where you are, physically, every second of every day. They also know exactly what you do on the web, what you do via email, and what you do on your phone. Is everybody really OK with this? One company knowing literally everything they can possibly know about you, in exchange for a bit of convenience? That seems insane to me.

    --
    I don't respond to AC's.
    1. Re:Google, Google, everywhere by Anonymous Coward · · Score: 0

      "Google knows where you are, physically, every second of every day."

      Only if you leave your wifi and location services on but why would I do that?

    2. Re:Google, Google, everywhere by mandark1967 · · Score: 1

      "Google knows where you are, physically, every second of every day."

      Only if you leave your wifi and location services on but why would I do that?

      So Google knows where you are, physically, every second of every day you insensitive clod!

      --
      Sig Follows: "Suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." -- Mark Twain
    3. Re:Google, Google, everywhere by Anonymous Coward · · Score: 0

      "Google knows where you are, physically, every second of every day."

      Only if you leave your wifi and location services on but why would I do that?

      The average computer user is incredibly ignorant of their own systems. Default settings matter a fucking lot here, so before you ask "why", ask what the default setting is. You'll have your answer as to the true impact.

    4. Re:Google, Google, everywhere by doconnor · · Score: 1

      Doesn't Android ask you if you want to do this during the set up process?

    5. Re: Google, Google, everywhere by astrofurter · · Score: 1

      "Is everybody really OK with this?"

      NO ONE is okay with this. If people were to vote on the question - "who wants every detail of your life snooped by an evil megacorp 24/7/365 with no warrant, no suspicion, and no recourse?" - the overwhelming majority would vote "fuck no".

      The only reason the iron boot of the police state hasn't already stomped Google is... that Google is de facto part of that police state.

      Big Brother Google is always watching.

    6. Re: Google, Google, everywhere by astrofurter · · Score: 1

      You CANNOT turn off location services. All your can do is ask the factory-p0wned OS, please turn off location services. From what we know of Google, it's pretty safe to assume the OS never honors your request.

    7. Re:Google, Google, everywhere by thegarbz · · Score: 1

      Is everybody really OK with this?

      Yes, because what people know is just a part of a complicated equation which also includes other factors such as what they do with the data, how much you trust them, and that latter one is inherently based on past performance as an indicator of perceived future performance.

      So let me ask you a question: Can you point to actual tangible negative impacts that people have experienced as a result of Google knowing this data? Because fundamentally that makes up the trust component. People have a high trust because for all the data Google's collected they haven't actually been negatively impacted.

      The other part of the equation people can point to: All the benefits that have arisen from google knowing where they are at all times. Mapping, traffic, and public transit to name the 3 obvious ones. More relevant search results. Cheaper energy bills when combined with Nest products etc.

      Now if Microsoft collected even a fraction of what Google does I'd be getting the pitchforks out, especially since MS's business model doesn't depend on protecting your raw data. Amazon have only just been caught training their system with sound files while actually showing names, serial numbers and account information to the people doing that, fuck that noise. Google on the other hand seem to be quite competent with anonymising and controlling data.

    8. Re: Google, Google, everywhere by thegarbz · · Score: 1

      NO ONE is okay with this. If people were to vote on the question - "who wants every detail of your life snooped by an evil megacorp 24/7/365 with no warrant, no suspicion, and no recourse?" - the overwhelming majority would vote "fuck no".

      That's because it's an irrelevant question which doesn't apply here. Remove your own personal biases by replacing evil megacorp with the word "google" allowing people to make an assessment of trustworthyness, and then list in the questions the benefits they have received in exchange and the question becomes and overwhelming "fuck yes" with a bit of "meh" from the more privacy conscious.

      Would you let me punch you in the face?
      Would you let me punch you in the face if you knew I was weak as piss and I offered you $100 to do it?

      Two very different questions.

    9. Re: Google, Google, everywhere by astrofurter · · Score: 1

      How's that bootleather taste?

  4. No by rtkluttz · · Score: 0

    I don't WANT there to be any tie in between my user account and my device. I want my accounts to both secure AND as anonymous as possible. I don't want Google's repeated efforts of tieing a specific human to a specific user account. That is not for them to know and I trust them even less than malware creators.

    --
    Digital is, by definition, imperfect. Analog is the way to go.
    1. Re:No by mlw4428 · · Score: 1

      So don't use the products? You're complaining and the fact of the matter is that 90% of Google's target audience doesn't hold the same values you do. In Googleland you're the product, not the customer. It's parasitic symbiosis, if such a thing can exist. They will do what they can to keep you engaged so that they can collect the data and sell it so they make their profit. The benefit you get is that usefulness of products and an engaging enough experience. But yes, you throw away privacy. If you want Google to do what Apple does you're gonna need to pay $1500/phone + support contract and at some point you'll be forced to upgrade. Don't like it? Don't use the products.

    2. Re:No by bobby · · Score: 1

      Next will be 3FA, then 4, and at some point they will wear you down and you will be assimilated.

    3. Re:No by Anonymous Coward · · Score: 0

      I don't want Google's repeated efforts of tieing a specific human to a specific user account.

      Honestly I had no idea that I was manufacturing mutant humans when I create google test accounts for my job

    4. Re:No by DogDude · · Score: 1

      If you want Google to do what Apple does you're gonna need to pay $1500/phone + support contract and at some point you'll be forced to upgrade.

      Or, you could just not use a "smart" phone.

      Or you could do what I do: use a Windows Phone when I need a "smart" phone.

      --
      I don't respond to AC's.
    5. Re:No by Anonymous Coward · · Score: 0

      is zed dead in your reality?

    6. Re:No by swillden · · Score: 1

      Next will be 3FA, then 4, and at some point they will wear you down and you will be assimilated.

      Arguably, if your phone has a fingerprint scanner, this is three-factor. You have to unlock your phone to authorize it to send the cryptographic second-factor message to your computer via bluetooth. And, of course, this is after you entered your password. So... something you know (your password), something you have (your phone) and something you are (your fingerprint, to unlock the phone).

      It's "arguable" not "fact", because some definitions of 3FA would require that the backend verify the third authenticator as well, where in this case that's done on the phone (the something-you-have). In practice, secure remote biometric verification is, er, hard.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    7. Re:No by swillden · · Score: 1

      I don't WANT there to be any tie in between my user account and my device. I want my accounts to both secure AND as anonymous as possible. I don't want Google's repeated efforts of tieing a specific human to a specific user account.

      Google has no interest in tying a specific human to a user account, outside of some groups within Google that fight abuse (a common abuse tactic is to great huge numbers of accounts, and spread the abuse across them), and even they don't care about tying specific people to accounts, they just want to make bulk account creation hard. Besides that, Google doesn't care if you have several accounts or few of them, and doesn't really care if the names, etc. on them are real.

      In any case, this new 2FA feature has nothing to do with that, and, actually, does nothing to make your goal of using Google services anonymously any harder.

      This feature is all about preventing account hijacking and theft. Passwords alone have not been secure for quite some time, and are getting worse all the time. Something more is needed. The "security questions" approach is laughably bad. Worse than the passwords it's trying to cover for. SMS-based two-step verification is better, but SMS hijacking can defeat it. Plus, people like you don't want to add a phone number to your Google account, and SMS 2SV obviously requires that.

      This new 2FA option allows your phone to act as a cryptographic second factor for logging you on. It does not use your phone number to do this, and doesn't in any way tie you as a human to the Google account... it involves creating a new (random!) cryptographic key on your phone and then associating that with your account.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    8. Re:No by Anonymous Coward · · Score: 0

      resistance is futile...

    9. Re:No by mlw4428 · · Score: 1

      Except like Microsoft has dumped all support of it.

    10. Re:No by rtkluttz · · Score: 1

      Absolutely not. I didn't mention the fact that I screwed up and tried out Google Fi. It FORCE tied my phone to my google account. There is no way to untie it now. I have been all the way to the developer level and they said that is by design. So since I used a Google fi account tied to my gmail account, I can no longer part with my phone. If I carry my companies loaner phone and try to check my personal email while on a work visit to another area, there is no way I can do it without also carrying my cell phone to get the authentication text. Their stated goal is tie one to the other and that goal is slowly creeping into other services they offer.

      --
      Digital is, by definition, imperfect. Analog is the way to go.
    11. Re:No by swillden · · Score: 2

      Absolutely not. I didn't mention the fact that I screwed up and tried out Google Fi. It FORCE tied my phone to my google account. There is no way to untie it now. I have been all the way to the developer level and they said that is by design.

      I don't think so. If you really can't remove the phone number associated with your account (and you're not on Fi any more) please email me and I'll file a bug. My slashdot username @google.com.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    12. Re:No by DogDude · · Score: 1

      That's why it makes such a great phone to use: nobody's tracking it, including Microsoft.

      --
      I don't respond to AC's.
    13. Re:No by Anonymous Coward · · Score: 0

      Such a great phone, where vulnerabilities will continue to mount over time and no more patches will ever be available! Soon it'll surpass Windows 98 as the least secure Windows ever!

  5. When did we lose the 2FA ? by drnb · · Score: 1

    Yeah, "The feature is coming only to Android devices versions 7 and up" is confusing for those of us already using 2FA. I've been using 2FA via Google Authenicator for some google accounts since Android 5. 2SV is not the only option, we already have a 2FA option. Or did we lose that 2FA option in recent history and now its returning? I am only using 2FA on a somewhat "old" account.

    1. Re:When did we lose the 2FA ? by swillden · · Score: 5, Informative

      Yeah, "The feature is coming only to Android devices versions 7 and up" is confusing for those of us already using 2FA. I've been using 2FA via Google Authenicator for some google accounts since Android 5. 2SV is not the only option, we already have a 2FA option. Or did we lose that 2FA option in recent history and now its returning? I am only using 2FA on a somewhat "old" account.

      This is a new 2FA option. A pretty nice one, actually.

      Google Authenticator requires you to unlock your phone, open the app, read the number, type it into the browser window and click a submit button. Oh, and you have to do it relatively quickly because the number is only valid for a short period of time.

      With this new approach, which builds on Android's ability to act as a FIDO token (which itself is built on top of Android Keystore authentication -- which, BTW, I designed and built :-) ), your browser communicates via bluetooth with your phone to get a cryptographic authentication token. So from the user perspective, when you get to the 2FA request screen, you just unlock your phone and tap "okay".

      If you have a nano security key that just lives in the USB port all of the time, then that's still the most convenient 2FA approach, IMO. But there's a valid (though not strong, for most users) argument that leaving the security key in the USB port all of the time is a bad idea. In addition, to use a security key you have to buy a security key, which you probably don't already have.

      Of course the 2SV option (SMS code) still exists, but it's significantly weaker from a security perspective.

      Security is context-dependent, so you can't really place these things on a continuum, but if I make a bunch of simplifying assumptions about common user scenarios, I'd say that Android-as-FIDO is the strongest second factor auth option currently offered. Security keys generally use certified hardware which is arguably more secure than the relevant hardware in a phone, but Android-as-FIDO also requires user authentication (usually biometric; so it's arguably three factor), while security keys do not. The Authenticator app is a little weaker because a root compromise of the phone can extract the relevant long-lived secret.

      This new feature is good stuff. It's quite secure, and also very user-friendly, which encourages people who might otherwise not use 2FA to turn it on.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    2. Re:When did we lose the 2FA ? by jimbo · · Score: 1

      Thank you for the detailed explanation. I seem to be using another option from the ones described; I initiate Google login on my PC and enter password, my phone bleeps so I unlock it and press "yes it is me" - no code just the prompt. On iPhone it requires the Google Home app, not Authenticator, on Android as well I think.

      The FIDO approach seems more secure and supports more than just Google accounts, but requires a local/PAN BT connection?
      What are the fallback options if, say, borrowing a PC without BT? Enter a number?

    3. Re:When did we lose the 2FA ? by sexconker · · Score: 1

      your browser communicates via bluetooth with your phone

      Hard pass.

    4. Re: When did we lose the 2FA ? by Anonymous Coward · · Score: 0

      Wouldn't it be possible to use USB instead of Bluetooth ? Many desktop PC have no BT...

    5. Re:When did we lose the 2FA ? by AmiMoJo · · Score: 1

      So this is similar to the existing system where when you log in to your Google account a screen pops up on your phone asking you to confirm it's you, but extended so that it works on all sites that support U2F?

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    6. Re:When did we lose the 2FA ? by Anonymous Coward · · Score: 0

      If it's anything like older implementations, there's a one time pad available as a back up.

    7. Re:When did we lose the 2FA ? by Anonymous Coward · · Score: 0

      If it communicates with the browser over bluetooth, I have a few questions: Does this use the BLE enabled in the browser? I thought that feature had to be turned on. I assume that this means that bluetooth has to be enabled on the laptop. Why not generate a set of public/private keys on the phone, and sync the public key through a known channel to a server, and send the private key to the browser. The requested server could then get the public key from the known server, and you'd defeat any MiTM attacks. You'd basically use the phone/known server as the key pair generator for Kerberos. Does this 2FA approach have the same issues as SMS-based 2FA, where if the user connects to an intercepting server, it just passes on the 2nd key and hijacks the session?

    8. Re:When did we lose the 2FA ? by swillden · · Score: 1

      your browser communicates via bluetooth with your phone

      Hard pass.

      Why? This is very good for security. Uses a separate, non-Internet and inherently local (in the absence of sophisticated relay attacks), channel significantly increases security. Do you have a problem with bluetooth in particular, or some other aspect?

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    9. Re:When did we lose the 2FA ? by Etcetera · · Score: 2

      your browser communicates via bluetooth with your phone

      Hard pass.

      Why? This is very good for security. Uses a separate, non-Internet and inherently local (in the absence of sophisticated relay attacks), channel significantly increases security. Do you have a problem with bluetooth in particular, or some other aspect?

      I generally don't have bluetooth enabled on any computer I control, for security reasons. If or when I enable it, I certainly wouldn't give my browser access to local bluetooth functionality! Websites don't need to be poking around there.

      I appreciate that Google is thinking in terms of local connectivity, but running everything through a Google(tm) browser is about the least attractive way to do it.

      --
      Hire a Linux system administrator, systems engineer,
    10. Re: When did we lose the 2FA ? by Anonymous Coward · · Score: 0

      Interesting explanation, thanks.

      How, if at all, does this enable Google to profile users to an even greater extent?

      Or is that moot because Android takes away all privacy anyway and people choose it because they don't care?

    11. Re:When did we lose the 2FA ? by ctilsie242 · · Score: 1

      First of all, thank you for designing Android Keystore. This is something that all operating systems need to have, and it is a very useful security feature.

      My take is that even if there might be vulnerabilities with 2FA on Android, or any phone OS for that matter... getting people to use 2FA is worth it, because most security compromises are mitigated by 2FA, even more so with physical tokens that one presses (like YubiKeys). 2FA goes a long way in ensuring that a keylogger doesn't cause a complete and utter compromise of bank data.

      The only thing I wish for, with 2FA seeds, is a standard for backing them up which works across devices. There are programs that sync them, but it would be nice to have both a reliable and safe, yet secure (encrypted, of course) method of storing those seeds somewhere, so one can reload them if they lose their phone. I keep an iPod Touch around and synced with a program like CodeBook, EnPass, or 1Password, just so I can get access back. If 2FA seeds are lost, there can be Hell to pay. For example, I have some NAS devices that don't have any recovery mechanism... lose the MFA code, and one either uses one of the 5-10 recovery codes, or is just plain SOL and has to rebuild the NAS from scratch.

    12. Re:When did we lose the 2FA ? by jrumney · · Score: 1

      Bluetooth? I guess it is more secure than the old GCM based authorization that they pulled some time back, but are people really letting their Browsers directly access hardware now? Or if you are using Chrome you don't have a choice?

    13. Re:When did we lose the 2FA ? by Anonymous Coward · · Score: 0

      You built this? Wait I don't get it. What if someone just steals my phone?

    14. Re: When did we lose the 2FA ? by Anonymous Coward · · Score: 0

      "It's quite secure"

      Nothing that runs on a mobile phone is remotely close to "secure".

    15. Re: When did we lose the 2FA ? by Anonymous Coward · · Score: 0

      People choose Android because iOS is just as insecure, factory p0wned, and stalker-ish - but only runs on uncompetitively expensive hardware.

    16. Re:When did we lose the 2FA ? by msk · · Score: 1

      In addition to the other issues noted in this part of the thread, power consumption, having to have Bluetooth enabled before starting the session that depends on the auth, remembering to disable Bluetooth after it's done.

      I'd rather type a six-digit code. And, frankly, I'd rather have a physical token for the most-used applications. I do not like having to find my phone, hope it's charged, unlock it, navigate to the app or notification, then do whatever else is needed to finish the process.

      For someone with severe mobility issues, this might be better than typing a code. For me, it's not.

  6. 2FA or 1? by bobby · · Score: 1

    So now the phone becomes the only factor, right? So we're back to 1FA. Don't lose that phone.

    1. Re:2FA or 1? by Anonymous Coward · · Score: 0

      No, you still need to sign in using the password, but you also have to approve it with your phone. This is the same as every other 2FA system you can assign to a Google account, and you can assign multiple so losing one does not completely lock you out.

      I think the big change here is the use of FIDO in the background and the secure element on the phone, because Google accounts have been able to use phones with the Google App (both Android and iOS devices) as a second factor for ages, with nearly the identical Yes/No UI presented in the article. That feature is called Google prompt.

    2. Re:2FA or 1? by bobby · · Score: 1

      Yeah but password managers, auto-logins, ... ?

  7. ANDROID IS A PIECE OF SHIT by Anonymous Coward · · Score: -1

    n/t

    1. Re: ANDROID IS A PIECE OF SHIT by Anonymous Coward · · Score: 0

      Remove all java garbage from it and I might be interested.
      Replace with C++.

    2. Re: ANDROID IS A PIECE OF SHIT by TomGreenhaw · · Score: 2

      From an end user experience, I'm not sure why choice of language is a critical issue, so I assume you are talking about using "java garbage" for development.

      Have you tried Visual Studio for Android Development? It has an Android Emulator and the Xamarin stack included now does provide a passable cross platform development environment. While it is better supported for C#, you can develop for Android using C++ in Visual Studio as well.

      --
      Greed is the root of all evil.
  8. Only second factor if password isn't stored by Nkwe · · Score: 2

    If you save your password on the phone (so that it gets entered automatically on an app or website), then you are not really adding a second factor by proving that you have the device. For the password to be the "something you know" factor, the something needs to be something in your brain, not something stored the same device that is the "something you have" factor. Does this new setup ensure that passwords can not be saved?

    1. Re:Only second factor if password isn't stored by b0bby · · Score: 1

      This is using the phone for accounts on your PC.

    2. Re:Only second factor if password isn't stored by swillden · · Score: 1

      If you save your password on the phone (so that it gets entered automatically on an app or website), then you are not really adding a second factor by proving that you have the device. For the password to be the "something you know" factor, the something needs to be something in your brain, not something stored the same device that is the "something you have" factor. Does this new setup ensure that passwords can not be saved?

      This is for logging into a web site on a separate computer. Google doesn't provide any way to save your Google password on your phone and have it automatically sent to your computer, AFAIK.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    3. Re:Only second factor if password isn't stored by chemish · · Score: 1

      If you save your password on the phone (so that it gets entered automatically on an app or website), then you are not really adding a second factor by proving that you have the device. For the password to be the "something you know" factor, the something needs to be something in your brain, not something stored the same device that is the "something you have" factor. Does this new setup ensure that passwords can not be saved?

      This is for logging into a web site on a separate computer. Google doesn't provide any way to save your Google password on your phone and have it automatically sent to your computer, AFAIK.

      Actually your saved passwords are synced from computer to phone and back again if you are signed in to chrome on both devices. Very convenient but some risk for sure.

    4. Re:Only second factor if password isn't stored by Nkwe · · Score: 1

      If you save your password on the phone (so that it gets entered automatically on an app or website), then you are not really adding a second factor by proving that you have the device. For the password to be the "something you know" factor, the something needs to be something in your brain, not something stored the same device that is the "something you have" factor. Does this new setup ensure that passwords can not be saved?

      This is for logging into a web site on a separate computer. Google doesn't provide any way to save your Google password on your phone and have it automatically sent to your computer, AFAIK.

      Thanks for the clarification. That being said, if you save your password on your computer then your "factor strength" would be two things you have and zero things you know. The strength of "two factor" comes from having two different factor types, not just two different authentication checks.

    5. Re:Only second factor if password isn't stored by AmiMoJo · · Score: 3, Informative

      That isn't the threat model they are using.

      This protects against the biggest security threat currently out there: your password is re-used on another site and leaked by that other site, along with your Gmail address, and someone uses it to compromise your Google account. Since they don't have your phone that is no longer possible.

      It also against similar attacks, like shoulder surfing and keyloggers, where your password is compromised.

      If your phone is stolen you can only rely on whatever kind of lock screen you have set.

      If you log in via your phone's browser then at least even if your phone is compromised it would take multiple exploits to bother get your password and trigger the secure authentication mechanism without user interaction.

      I'm not entirely sure what your threat model is... Someone steals your unlocked phone? It's probably already logged in to your Google account anyway.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    6. Re:Only second factor if password isn't stored by swillden · · Score: 2

      If you save your password on the phone (so that it gets entered automatically on an app or website), then you are not really adding a second factor by proving that you have the device. For the password to be the "something you know" factor, the something needs to be something in your brain, not something stored the same device that is the "something you have" factor. Does this new setup ensure that passwords can not be saved?

      This is for logging into a web site on a separate computer. Google doesn't provide any way to save your Google password on your phone and have it automatically sent to your computer, AFAIK.

      Actually your saved passwords are synced from computer to phone and back again if you are signed in to chrome on both devices. Very convenient but some risk for sure.

      Not your Google account password.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    7. Re:Only second factor if password isn't stored by Dragonslicer · · Score: 1

      That being said, if you save your password on your computer then your "factor strength" would be two things you have and zero things you know.

      You don't have a master password set for your password manager?

  9. Is it really secure 2FA? by Anonymous Coward · · Score: 0

    Let's see. A secure USB dongle that literally destroys itself if tampered with OR an Android phone that will likely be hacked several times a year. Which would you choose?

    1. Re:Is it really secure 2FA? by bob4u2c · · Score: 1

      OR an Android phone that will likely be hacked several times a year

      This.

      Reading the article it appears that when your phone is paired it will send a notification, that you choose yes/no to to verify you intend to login. So a message sent over open air waves? That seems like a bad idea. Its not clear if this is their FIDO implementation or 2FA. This seems to be the case though as they claim it will stop sites that prompt for a username/password/token because without connecting to a valid google account it won't trigger the message on your phone. So something has to be pushed to your phone.

      Even if the device generates a token like YubiKeys, having that on your phone seems like a bad idea as your phone can be hacked and that key can be extracted. I had an employer install Semantic Security tokens the same way on our machines, while the idea is nice, there is no assurance that it can't be hacked. The something you carry part of 2FA should not be something that can connect to the internet directly/indirectly as when the device is hacked, so is your key. A USB dongle, or standalone bluetooth token keychain is way more secure, not perfect, but better than sending a message than can be viewed.

  10. End goal - making having Android device mandatory by sinij · · Score: 1

    I don't trust Google with this, as it is clear that the end goal is making having Android device mandatory to authenticate online. This is not unlike Microsoft and its early efforts with Office software -in the end they succeeded with MS Office becoming defacto standard.

  11. Priceless... by Anonymous Coward · · Score: -1

    "You Can Now Use Your Android Phone as a 2FA Security Key for Google Accounts"

    Android... Google... SECURITY! HAHAHAHAHA! What a joke... God, have mercy...

  12. Why is this more secure? by Gabest · · Score: 1

    I mean in general, confirming logins on a phone. Anyone can see the SMS who has it. Logging in on a PC and typing in the SMS from the phone is okay, since it is two different device and someone on the internet will not have my phone.

    1. Re:Why is this more secure? by swillden · · Score: 2

      SMS can be hijacked and rerouted. There have been a lot of real-world examples over the last year or two where attackers have social-engineered the telco to reroute SMS to a device they control, then used the SMS auth to compromise user accounts.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  13. Been doing it for months by Anonymous Coward · · Score: 0

    I've been using my Android phone for 2FA for my google accounts literally for months. Several months ago I started getting asked to check my phone when I logged into gmail, and to tap the correct number that pops up on the screen. I can only assume this is the puppy they're talking about here.

  14. Three types of two factor authorization by Anonymous Coward · · Score: 0

    2FA -- uses an authorization code. Amazon can use this. Code is an SMS text or from authorization app.

    FIDO -- uses login ID and a hardware dongle. Github uses this.

    U2F (also known as FIDO2) -- uses only a hardware dongle. Google can use this. Almost no one else does.

    Make sure Firefox about:config has set security.webauth.u2f true

    FWIW, Banks are years behind. Almost no banks supports auth apps, FIDO, or FiDO2/U2F

  15. So what's new? by Martin+S. · · Score: 1

    I've been doing this for two years with Google Authenticator.

    https://play.google.com/store/...

  16. So they can rob me via my phone now? by WillAffleckUW · · Score: 1

    Good thing I don't have an android phone.

    --
    -- Tigger warning: This post may contain tiggers! --
  17. new? by Anonymous Coward · · Score: 0

    Being doing this for months in my xiaomi A1.

  18. OK, bad title by drnb · · Score: 1

    OK. It was a bad slashdot article title. Its not you can now use 2FA, its you now have a second way to use 2FA. Thanks for clarifying things.

  19. Optional? by fluffernutter · · Score: 1

    I hope this is optional! Apple FORCES me to use my iPhone or my Mac for 2FA and I don't have them with me all the time. Sorry, I'm not an apple person. My iPhone is a test device only.

    --
    Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.