What Is a Google Security Key and How Does It Work with Your Android 7.0+ Phone?
Google's security people reckon that they know a thing or two about Two-Factor Authentication (2FA) or 2-Step Verification, as they like to call it. They think that the most secure 2FA systems are the ones based on a standard known as Universal Second Factor (U2F). Last year, they proudly announced that ever since implementing a U2F 2FA system, they have recorded absolutely no successful phishing attacks against Google employees.
The problem with U2F is that using it means getting a separate USB or NFC (Near-Field Communication) token which, although relatively cheap, costs money, and unfortunately, many people are not prepared to pay money for additional security. What's more, if you lose your U2F token, restoring access to your accounts could be a hassle.
Google tries to solve the 2FA problem
Google's security team reckon that they can go around this problem by implementing a standard similar to U2F into something people already have – their phones. Last week, the search engine giant announced that smartphones running Android 7.0 and higher can now act as what it calls "Security Keys" (the equivalent of U2F tokens) in Google's 2-Step Verification feature.
The idea is pretty simple: you try to access your Google account through a new device, and the Android phone in your pocket displays a notification. In order to complete the sign-in process, you must unlock your phone and confirm that the login attempt is legitimate. The advantages of this are obvious.
Even if someone has the login credentials for your Google account, they can't break into it. At the same time, there are no one-time passwords that can be phished or intercepted. And although people like Jay Brodsky, the person that filed a lawsuit against Apple for allegedly "forcing" him to use 2FA, will still complain about how hard everything is, the login process is as simplified as possible.
It almost sounds like a win-win situation. Unfortunately, it's not without its limitations.
We're not quite there yet
There are a few rather glaring compatibility issues. For one, Google is the one developing the technology which means that, for the time being at least, it's available only on Android devices and works only with Google Chrome. The millions of people using iPhones, older Android phones, and other browsers won't have the chance to take advantage of it.
Furthermore, in order to make the security key work, you need to enable Bluetooth both on the smartphone and on the device you're using to log in to your Google account. You will be hard-pressed to find a laptop that doesn't support Bluetooth, but with desktop PCs, things are a little bit different. Of course, you can always purchase a Bluetooth dongle, but this presents a problem similar to the one we're facing with the U2F tokens – money.
Speaking of which, we already mentioned that losing U2F tokens could present some problems, and we can only imagine that the same goes for smartphones with enabled security keys.
So, on the whole, Google's new feature isn't perfect. It is more user-friendly and secure than what we have already, though, so if you have a relatively recent Android smartphone, you should probably consider enabling the security key in it. Google has added instructions on how to do that here.