Google now lets iPhones act as FIDO hardware keys for better security

Posted:
in General Discussion
Following an update to Google's iOS Smart Lock app, iPhones can now be used as a Fast Identity Online (FIDO) security key. This replaces the physical hardware keys previously required -- and brings the iPhone into line with Android phones.

Adding Google's Advanced Protection Program to your Google account on iPhone
Adding Google's Advanced Protection Program to your Google account on iPhone


Users with Google accounts using the company's highest security features can now use an Apple iPhone to authenticate themselves when logging in via Chrome. Google's Smart Lock app now leverages Apple's secure enclave to allow an iPhone to act as a two-factor authentication key.

Two-factor authentication gives stronger protection than the more familiar two-step verification, where a user typically gain access via entering a code sent separately. That system relies for security on your being the only person who knows the code that's been sent to the user.

Two-factor authentication can instead rely on the user possessing a device or a physical key. For the iPhone to act as the key, it has to be physically close to the device that is being used to log in.

Consequently, with this stronger security, the Google Advanced Protection Program previously required either a separate, physical hardware key -- or an Android phone.

Hardware keys could be expensive, especially if needed for a large team of people, but now the service is free for iOS via Google Smart Lock 1.6 for iOS. The latest update to this adds the ability to "set up your phone's built-in security key, the best second factor protection for your Google Account."

It uses the fact that recent iPhones have a secure enclave. After it's been set up, the secure enclave contains your Touch ID fingerprint or Face ID information. When Google needs to verify your logging in to your account, it can check with the secure enclave that your face or fingerprint match.

So the iPhone itself becomes the hardware key that you can use to unlock your Google Account. This brings iPhones running the latest iOS 13 into line with Android 7+ phones, which gained the facility in mid-2019.

The feature is intended for high-profile users or ones with sensitive data on their Google accounts. As well as requiring higher-security authentication for a user to gain access to their Google account, the service also limited the ability of other apps to do so.

In 2018, Google added the ability for Apple's core Mail and Calendar apps to sync with Gmail and Google Calendar after authentication.
«1

Comments

  • Reply 1 of 27
    FIDO is a convoluted and weird spec where you have a master key that decrypts a site key that is actually stored on the site.. but guess if they can make the apps simple and available enough it might catch on. personally would prefer something like SQRL.
    watto_cobra
  • Reply 2 of 27
    GeorgeBMacGeorgeBMac Posts: 11,421member
    I won't even bother reading this article.
    Google and Security is just a non-sequitur.
    lkruppagilealtitudewatto_cobra
  • Reply 3 of 27
    gatorguygatorguy Posts: 23,510member
    axcess99 said:
    FIDO is a convoluted and weird spec where you have a master key that decrypts a site key that is actually stored on the site.. but guess if they can make the apps simple and available enough it might catch on. personally would prefer something like SQRL.
    https://landing.google.com/advancedprotection/
    The article includes this link, but not so obviously. The Google blog piece more clearly explains what this is and why it vastly improves security. 
    edited January 2020 JWSCmuthuk_vanalingam
  • Reply 4 of 27
    lkrupplkrupp Posts: 10,332member
    gatorguy said:
    axcess99 said:
    FIDO is a convoluted and weird spec where you have a master key that decrypts a site key that is actually stored on the site.. but guess if they can make the apps simple and available enough it might catch on. personally would prefer something like SQRL.
    https://landing.google.com/advancedprotection/
    The article includes this link, but not so obviously. The Google blog piece more clearly explains what this is and why it vastly improves security. 
    You simply cannot use the words Google and security in the same sentence. it's anathema and it's a shame you don't understand that.
    GeorgeBMacwatto_cobra
  • Reply 5 of 27
    uraharaurahara Posts: 690member
    I won't even bother reading this article.
    Google and Security is just a non-sequitur.

    lkrupp said:
    gatorguy said:
    axcess99 said:
    FIDO is a convoluted and weird spec where you have a master key that decrypts a site key that is actually stored on the site.. but guess if they can make the apps simple and available enough it might catch on. personally would prefer something like SQRL.
    https://landing.google.com/advancedprotection/
    The article includes this link, but not so obviously. The Google blog piece more clearly explains what this is and why it vastly improves security. 
    You simply cannot use the words Google and security in the same sentence. it's anathema and it's a shame you don't understand that.


    How am I to inteprete the fact that google has a relatively low security breach statistics (https://en.wikipedia.org/wiki/List_of_data_breaches )
    How good is Google's know-how in security sector?
    How much can we benefit from their knowledge and tools?

    edited January 2020 muthuk_vanalingamCarnage
  • Reply 6 of 27
    Am I right that using this places you at high risk of being locked out your accounts should your phone get stolen or broken?

    And if so is it a good idea for your key to be a desirable $1,500 phone?

    no one gonna steal a dongle 
    macplusplusviclauyyccornchipwatto_cobra
  • Reply 7 of 27
    lkrupp said:
    You simply cannot use the words Google and security in the same sentence. it's anathema and it's a shame you don't understand that.
    How am I to inteprete the fact that google has a relatively low security breach statistics (https://en.wikipedia.org/wiki/List_of_data_breaches )
    How good is Google's know-how in security sector?
    How much can we benefit from their knowledge and tools?
    I think he's maybe conflating "security" with "privacy."

    Google has one of the best records of FAANG companies for security tech, I think that's undeniable. But I wouldn't exactly trust them, either. 
    dewmeGeorgeBMacJWSCsandorStrangeDayscornchipavon b7muthuk_vanalingamFileMakerFellerCarnage
  • Reply 8 of 27
    gatorguygatorguy Posts: 23,510member
    lkrupp said:
    gatorguy said:
    axcess99 said:
    FIDO is a convoluted and weird spec where you have a master key that decrypts a site key that is actually stored on the site.. but guess if they can make the apps simple and available enough it might catch on. personally would prefer something like SQRL.
    https://landing.google.com/advancedprotection/
    The article includes this link, but not so obviously. The Google blog piece more clearly explains what this is and why it vastly improves security. 
    You simply cannot use the words Google and security in the same sentence. it's anathema and it's a shame you don't understand that.
    You really should read more rather than react off-the cuff lacking any knowledge about it. Then you could add some actually useful and helpful comments. 

    Your post would be akin to me writing "you simply cannot use the words Apple and open in the same sentence, it's anathema and it's a shame you don't understand that". 
    That's no more factual than your comment.  ;)

    Congrats to @urahara ;
    That member actually reads/researches before posting.  

    Fun Fact: Google even helps secure Amazon AWS services. 
    https://www.datacenterknowledge.com/google-alphabet/google-s-new-security-features-don-t-care-whose-data-center-you-re

    edited January 2020 dewmeJWSCviclauyyccornchipmuthuk_vanalingamFileMakerFellerCarnage
  • Reply 9 of 27
    ‘Forget it; drive on’
    watto_cobra
  • Reply 10 of 27
    I am perhaps a bit dense, but I learnt nothing from the article about why I would need something like this in the first place.

    What does this do for me that Apple's security processes and protocols and hardware do not?
    edited January 2020 GeorgeBMacStrangeDayscornchipwatto_cobra
  • Reply 11 of 27
    dewmedewme Posts: 4,643member
    kkqd1337 said:
    Am I right that using this places you at high risk of being locked out your accounts should your phone get stolen or broken?

    And if so is it a good idea for your key to be a desirable $1,500 phone?

    no one gonna steal a dongle 
    This is one of the only logic-based and pragmatic arguments put forth in the forum so far. Well done. 
    cornchipwatto_cobra
  • Reply 12 of 27
    GeorgeBMacGeorgeBMac Posts: 11,421member
    urahara said:
    I won't even bother reading this article.
    Google and Security is just a non-sequitur.

    lkrupp said:
    gatorguy said:
    axcess99 said:
    FIDO is a convoluted and weird spec where you have a master key that decrypts a site key that is actually stored on the site.. but guess if they can make the apps simple and available enough it might catch on. personally would prefer something like SQRL.
    https://landing.google.com/advancedprotection/
    The article includes this link, but not so obviously. The Google blog piece more clearly explains what this is and why it vastly improves security. 
    You simply cannot use the words Google and security in the same sentence. it's anathema and it's a shame you don't understand that.


    How am I to inteprete the fact that google has a relatively low security breach statistics (https://en.wikipedia.org/wiki/List_of_data_breaches )
    How good is Google's know-how in security sector?
    How much can we benefit from their knowledge and tools?


    Russia "has a relatively low security breach statistics" too.
    watto_cobra
  • Reply 13 of 27
    gatorguygatorguy Posts: 23,510member
    I am perhaps a bit dense, but I learnt nothing from the article about why I would need something like this in the first place.

    What does this do for me that Apple's security processes and protocols and hardware do not?
    Nope, you're not dense at all. That's one reason I linked the Blog article that better explains it. Post 3.
    https://landing.google.com/advancedprotection/

    Even more secure would be the primary advantage, depending of course on the services you use. 
    edited January 2020 muthuk_vanalingam
  • Reply 14 of 27
    StrangeDaysStrangeDays Posts: 12,325member
    lkrupp said:
    gatorguy said:
    axcess99 said:
    FIDO is a convoluted and weird spec where you have a master key that decrypts a site key that is actually stored on the site.. but guess if they can make the apps simple and available enough it might catch on. personally would prefer something like SQRL.
    https://landing.google.com/advancedprotection/
    The article includes this link, but not so obviously. The Google blog piece more clearly explains what this is and why it vastly improves security. 
    You simply cannot use the words Google and security in the same sentence. it's anathema and it's a shame you don't understand that.
    Well I think there are two similar but different problem spaces — security, and privacy. Google may well be fine at security; they just don’t give a shit about privacy. 
    muthuk_vanalingamGeorgeBMacFileMakerFellerwatto_cobra
  • Reply 15 of 27
    gatorguygatorguy Posts: 23,510member
    lkrupp said:
    gatorguy said:
    axcess99 said:
    FIDO is a convoluted and weird spec where you have a master key that decrypts a site key that is actually stored on the site.. but guess if they can make the apps simple and available enough it might catch on. personally would prefer something like SQRL.
    https://landing.google.com/advancedprotection/
    The article includes this link, but not so obviously. The Google blog piece more clearly explains what this is and why it vastly improves security. 
    You simply cannot use the words Google and security in the same sentence. it's anathema and it's a shame you don't understand that.
    Well I think there are two similar but different problem spaces — security, and privacy. Google may well be fine at security; they just don’t give a shit about privacy. 
    Good golly... Another flaky claim.  Doesn't anyone read anymore or it just more fun for you to post FUD and falsehoods? Of course Google cares about user privacy. It's integral to their business strategy and revenue model. Geesh o'Pete, get out of your cocoon. 

    https://www.wsj.com/articles/google-chrome-to-phase-out-third-party-cookies-in-effort-to-boost-privacy-11579026834
    https://arstechnica.com/information-technology/2020/01/google-plans-to-drop-chrome-support-for-tracking-cookies-by-2022/

    Selfish motivations can still be consumer and privacy positive.
    edited January 2020 Carnage
  • Reply 16 of 27
    avon b7avon b7 Posts: 6,513member
    Considering Google's scope, its security is top notch. It's record is surprisingly good given how ubiquitous its technology is.

    A little anecdote.

    A few years ago I was in a data centre which housed some Google hardware. It was the only gear that was individually under lock and key with access severely monitored and restricted. And this was in an already highly secure setting as the centre covered critical infrastructure (and petabytes of CERN data). I happened to meet a Google employee that was visiting but he looked like a very young, fat, happy hippy with a big bushy beard. Entirely not what I expected. This was in Spain and he had flown in from Poland. A really down to earth relaxed guy with a permanent smile.


    muthuk_vanalingamCarnagemaltz
  • Reply 17 of 27
    GeorgeBMacGeorgeBMac Posts: 11,421member
    avon b7 said:
    Considering Google's scope, its security is top notch. It's record is surprisingly good given how ubiquitous its technology is.

    A little anecdote.

    A few years ago I was in a data centre which housed some Google hardware. It was the only gear that was individually under lock and key with access severely monitored and restricted. And this was in an already highly secure setting as the centre covered critical infrastructure (and petabytes of CERN data). I happened to meet a Google employee that was visiting but he looked like a very young, fat, happy hippy with a big bushy beard. Entirely not what I expected. This was in Spain and he had flown in from Poland. A really down to earth relaxed guy with a permanent smile.



    Under lock and key inside an already secure facility?
    That illustrates the fallacy of those who defend our voting machines that, by design, cannot be audited, verified or recounted and are typically stored in old warehouses and such.  They claim:   "If it's not connected to the internet it can't be hacked." and then walk away with a satisfied smile thinking the issue is all settled and resolved. 
  • Reply 18 of 27
    mcdavemcdave Posts: 1,919member
    urahara said:
    I won't even bother reading this article.
    Google and Security is just a non-sequitur.

    lkrupp said:
    gatorguy said:
    axcess99 said:
    FIDO is a convoluted and weird spec where you have a master key that decrypts a site key that is actually stored on the site.. but guess if they can make the apps simple and available enough it might catch on. personally would prefer something like SQRL.
    https://landing.google.com/advancedprotection/
    The article includes this link, but not so obviously. The Google blog piece more clearly explains what this is and why it vastly improves security. 
    You simply cannot use the words Google and security in the same sentence. it's anathema and it's a shame you don't understand that.


    How am I to inteprete the fact that google has a relatively low security breach statistics (https://en.wikipedia.org/wiki/List_of_data_breaches )
    How good is Google's know-how in security sector?
    How much can we benefit from their knowledge and tools?

    I think they’re alluding to privacy contempt that’s core to Google’s business.  Why would you trust a thief with your keys?
    GeorgeBMac
  • Reply 19 of 27
    gatorguygatorguy Posts: 23,510member
    mcdave said:
    urahara said:
    I won't even bother reading this article.
    Google and Security is just a non-sequitur.

    lkrupp said:
    gatorguy said:
    axcess99 said:
    FIDO is a convoluted and weird spec where you have a master key that decrypts a site key that is actually stored on the site.. but guess if they can make the apps simple and available enough it might catch on. personally would prefer something like SQRL.
    https://landing.google.com/advancedprotection/
    The article includes this link, but not so obviously. The Google blog piece more clearly explains what this is and why it vastly improves security. 
    You simply cannot use the words Google and security in the same sentence. it's anathema and it's a shame you don't understand that.


    How am I to inteprete the fact that google has a relatively low security breach statistics (https://en.wikipedia.org/wiki/List_of_data_breaches )
    How good is Google's know-how in security sector?
    How much can we benefit from their knowledge and tools?

    I think they’re alluding to privacy contempt that’s core to Google’s business.  Why would you trust a thief with your keys?
    Maybe you'd do better with pictures, even better a cartoon...
    https://federated.withgoogle.com/
    Carnage
  • Reply 20 of 27
    GeorgeBMacGeorgeBMac Posts: 11,421member
    mcdave said:
    urahara said:
    I won't even bother reading this article.
    Google and Security is just a non-sequitur.

    lkrupp said:
    gatorguy said:
    axcess99 said:
    FIDO is a convoluted and weird spec where you have a master key that decrypts a site key that is actually stored on the site.. but guess if they can make the apps simple and available enough it might catch on. personally would prefer something like SQRL.
    https://landing.google.com/advancedprotection/
    The article includes this link, but not so obviously. The Google blog piece more clearly explains what this is and why it vastly improves security. 
    You simply cannot use the words Google and security in the same sentence. it's anathema and it's a shame you don't understand that.


    How am I to inteprete the fact that google has a relatively low security breach statistics (https://en.wikipedia.org/wiki/List_of_data_breaches )
    How good is Google's know-how in security sector?
    How much can we benefit from their knowledge and tools?

    I think they’re alluding to privacy contempt that’s core to Google’s business.  Why would you trust a thief with your keys?

    ... Or with your data....
    In another confirmation of the lack of trust of Google both major Electronic Health Record vendors are forcing hospitals to cut ties with Google cloud services in favor of more secure AWS and Microsoft services.

    Since a major revenue stream for EHR companies is selling your health information, to block the world leader in selling customer's data is a big deal.


    Epic Systems, a major medical records vendor, is warning customers it will stop working with Google Cloud


    https://www.cnbc.com/2020/01/17/epic-systems-warns-customers-it-will-stop-supporting-google-cloud.html


Sign In or Register to comment.