You Can Now Use Your Android Phone as a 2FA Security Key for Google Accounts

Google said today it will now enable Android users to use their smartphones as a Fast Identity Online (FIDO) security key (for two-step authentication) for their Google accounts, thereby addressing one of the biggest challenges that has slowed the adoption of this security measure: convenience. A report adds: You can thus use your Android phone to protect your personal Google account, and your G Suite, Cloud Identity, and Google Cloud Platform work accounts. (Android tablets aren't supported -- Google specifically limited the functionality since users are more likely to have phones with them.) This means Android phones can move from two-step verification (2SV) to two-factor authentication (2FA). 2SV is a method of confirming a user's identity using something they know (password) and a second thing they know (a code sent via text message). 2FA is a method of confirming a user's identity by using a combination of two different factors: something they know (password), something they have (security key), or something they are (fingerprint). The feature is coming only to Android devices versions 7 and up.

Google, Google, everywhere

[DogDude]

At this point, Google knows where you are, physically, every second of every day. They also know exactly what you do on the web, what you do via email, and what you do on your phone. Is everybody really OK with this? One company knowing literally everything they can possibly know about you, in exchange for a bit of convenience? That seems insane to me.

Only second factor if password isn't stored

[Nkwe]

If you save your password on the phone (so that it gets entered automatically on an app or website), then you are not really adding a second factor by proving that you have the device. For the password to be the "something you know" factor, the something needs to be something in your brain, not something stored the same device that is the "something you have" factor. Does this new setup ensure that passwords can not be saved?

Re:Only second factor if password isn't stored

[AmiMoJo]

That isn't the threat model they are using.

This protects against the biggest security threat currently out there: your password is re-used on another site and leaked by that other site, along with your Gmail address, and someone uses it to compromise your Google account. Since they don't have your phone that is no longer possible.

It also against similar attacks, like shoulder surfing and keyloggers, where your password is compromised.

If your phone is stolen you can only rely on whatever kind of lock screen you have set.

If you log in via your phone's browser then at least even if your phone is compromised it would take multiple exploits to bother get your password and trigger the secure authentication mechanism without user interaction.

I'm not entirely sure what your threat model is... Someone steals your unlocked phone? It's probably already logged in to your Google account anyway.

Re:Only second factor if password isn't stored

[swillden]

If you save your password on the phone (so that it gets entered automatically on an app or website), then you are not really adding a second factor by proving that you have the device. For the password to be the "something you know" factor, the something needs to be something in your brain, not something stored the same device that is the "something you have" factor. Does this new setup ensure that passwords can not be saved?

This is for logging into a web site on a separate computer. Google doesn't provide any way to save your Google password on your phone and have it automatically sent to your computer, AFAIK.

Actually your saved passwords are synced from computer to phone and back again if you are signed in to chrome on both devices. Very convenient but some risk for sure.

Not your Google account password.

Re:When did we lose the 2FA ?

[swillden]

Yeah, "The feature is coming only to Android devices versions 7 and up" is confusing for those of us already using 2FA. I've been using 2FA via Google Authenicator for some google accounts since Android 5. 2SV is not the only option, we already have a 2FA option. Or did we lose that 2FA option in recent history and now its returning? I am only using 2FA on a somewhat "old" account.

This is a new 2FA option. A pretty nice one, actually.

Google Authenticator requires you to unlock your phone, open the app, read the number, type it into the browser window and click a submit button. Oh, and you have to do it relatively quickly because the number is only valid for a short period of time.

With this new approach, which builds on Android's ability to act as a FIDO token (which itself is built on top of Android Keystore authentication -- which, BTW, I designed and built :-) ), your browser communicates via bluetooth with your phone to get a cryptographic authentication token. So from the user perspective, when you get to the 2FA request screen, you just unlock your phone and tap "okay".

If you have a nano security key that just lives in the USB port all of the time, then that's still the most convenient 2FA approach, IMO. But there's a valid (though not strong, for most users) argument that leaving the security key in the USB port all of the time is a bad idea. In addition, to use a security key you have to buy a security key, which you probably don't already have.

Of course the 2SV option (SMS code) still exists, but it's significantly weaker from a security perspective.

Security is context-dependent, so you can't really place these things on a continuum, but if I make a bunch of simplifying assumptions about common user scenarios, I'd say that Android-as-FIDO is the strongest second factor auth option currently offered. Security keys generally use certified hardware which is arguably more secure than the relevant hardware in a phone, but Android-as-FIDO also requires user authentication (usually biometric; so it's arguably three factor), while security keys do not. The Authenticator app is a little weaker because a root compromise of the phone can extract the relevant long-lived secret.

This new feature is good stuff. It's quite secure, and also very user-friendly, which encourages people who might otherwise not use 2FA to turn it on.

Re:Move to 2FA

[swillden]

Geez, why would anyone want to voluntarily GIVE google your phone number?

This 2FA option does not require giving Google your phone number, unlike the much-weaker SMS-based 2SV option.

Re:Why is this more secure?

[swillden]

SMS can be hijacked and rerouted. There have been a lot of real-world examples over the last year or two where attackers have social-engineered the telco to reroute SMS to a device they control, then used the SMS auth to compromise user accounts.

Re:No

[swillden]

Absolutely not. I didn't mention the fact that I screwed up and tried out Google Fi. It FORCE tied my phone to my google account. There is no way to untie it now. I have been all the way to the developer level and they said that is by design.

I don't think so. If you really can't remove the phone number associated with your account (and you're not on Fi any more) please email me and I'll file a bug. My slashdot username @google.com.

Re:When did we lose the 2FA ?

[Etcetera]

your browser communicates via bluetooth with your phone

Hard pass.

Why? This is very good for security. Uses a separate, non-Internet and inherently local (in the absence of sophisticated relay attacks), channel significantly increases security. Do you have a problem with bluetooth in particular, or some other aspect?

I generally don't have bluetooth enabled on any computer I control, for security reasons. If or when I enable it, I certainly wouldn't give my browser access to local bluetooth functionality! Websites don't need to be poking around there.

I appreciate that Google is thinking in terms of local connectivity, but running everything through a Google(tm) browser is about the least attractive way to do it.

Re: ANDROID IS A PIECE OF SHIT

[TomGreenhaw]

From an end user experience, I'm not sure why choice of language is a critical issue, so I assume you are talking about using "java garbage" for development.

Have you tried Visual Studio for Android Development? It has an Android Emulator and the Xamarin stack included now does provide a passable cross platform development environment. While it is better supported for C#, you can develop for Android using C++ in Visual Studio as well.