Google now lets iPhones act as FIDO hardware keys for better security
Following an update to Google's iOS Smart Lock app, iPhones can now be used as a Fast Identity Online (FIDO) security key. This replaces the physical hardware keys previously required -- and brings the iPhone into line with Android phones.
Adding Google's Advanced Protection Program to your Google account on iPhone
Users with Google accounts using the company's highest security features can now use an Apple iPhone to authenticate themselves when logging in via Chrome. Google's Smart Lock app now leverages Apple's secure enclave to allow an iPhone to act as a two-factor authentication key.
Two-factor authentication gives stronger protection than the more familiar two-step verification, where a user typically gain access via entering a code sent separately. That system relies for security on your being the only person who knows the code that's been sent to the user.
Two-factor authentication can instead rely on the user possessing a device or a physical key. For the iPhone to act as the key, it has to be physically close to the device that is being used to log in.
Consequently, with this stronger security, the Google Advanced Protection Program previously required either a separate, physical hardware key -- or an Android phone.
Hardware keys could be expensive, especially if needed for a large team of people, but now the service is free for iOS via Google Smart Lock 1.6 for iOS. The latest update to this adds the ability to "set up your phone's built-in security key, the best second factor protection for your Google Account."
It uses the fact that recent iPhones have a secure enclave. After it's been set up, the secure enclave contains your Touch ID fingerprint or Face ID information. When Google needs to verify your logging in to your account, it can check with the secure enclave that your face or fingerprint match.
So the iPhone itself becomes the hardware key that you can use to unlock your Google Account. This brings iPhones running the latest iOS 13 into line with Android 7+ phones, which gained the facility in mid-2019.
The feature is intended for high-profile users or ones with sensitive data on their Google accounts. As well as requiring higher-security authentication for a user to gain access to their Google account, the service also limited the ability of other apps to do so.
In 2018, Google added the ability for Apple's core Mail and Calendar apps to sync with Gmail and Google Calendar after authentication.
Adding Google's Advanced Protection Program to your Google account on iPhone
Users with Google accounts using the company's highest security features can now use an Apple iPhone to authenticate themselves when logging in via Chrome. Google's Smart Lock app now leverages Apple's secure enclave to allow an iPhone to act as a two-factor authentication key.
Two-factor authentication gives stronger protection than the more familiar two-step verification, where a user typically gain access via entering a code sent separately. That system relies for security on your being the only person who knows the code that's been sent to the user.
Two-factor authentication can instead rely on the user possessing a device or a physical key. For the iPhone to act as the key, it has to be physically close to the device that is being used to log in.
Consequently, with this stronger security, the Google Advanced Protection Program previously required either a separate, physical hardware key -- or an Android phone.
Hardware keys could be expensive, especially if needed for a large team of people, but now the service is free for iOS via Google Smart Lock 1.6 for iOS. The latest update to this adds the ability to "set up your phone's built-in security key, the best second factor protection for your Google Account."
It uses the fact that recent iPhones have a secure enclave. After it's been set up, the secure enclave contains your Touch ID fingerprint or Face ID information. When Google needs to verify your logging in to your account, it can check with the secure enclave that your face or fingerprint match.
So the iPhone itself becomes the hardware key that you can use to unlock your Google Account. This brings iPhones running the latest iOS 13 into line with Android 7+ phones, which gained the facility in mid-2019.
The feature is intended for high-profile users or ones with sensitive data on their Google accounts. As well as requiring higher-security authentication for a user to gain access to their Google account, the service also limited the ability of other apps to do so.
In 2018, Google added the ability for Apple's core Mail and Calendar apps to sync with Gmail and Google Calendar after authentication.
Comments
The article includes this link, but not so obviously. The Google blog piece more clearly explains what this is and why it vastly improves security.
And if so is it a good idea for your key to be a desirable $1,500 phone?
no one gonna steal a dongle
Google has one of the best records of FAANG companies for security tech, I think that's undeniable. But I wouldn't exactly trust them, either.
Your post would be akin to me writing "you simply cannot use the words Apple and open in the same sentence, it's anathema and it's a shame you don't understand that".
That's no more factual than your comment.
Congrats to @urahara ;
That member actually reads/researches before posting.
Fun Fact: Google even helps secure Amazon AWS services.
https://www.datacenterknowledge.com/google-alphabet/google-s-new-security-features-don-t-care-whose-data-center-you-re
What does this do for me that Apple's security processes and protocols and hardware do not?
Russia "has a relatively low security breach statistics" too.
https://landing.google.com/advancedprotection/
Even more secure would be the primary advantage, depending of course on the services you use.
https://www.wsj.com/articles/google-chrome-to-phase-out-third-party-cookies-in-effort-to-boost-privacy-11579026834
https://arstechnica.com/information-technology/2020/01/google-plans-to-drop-chrome-support-for-tracking-cookies-by-2022/
Selfish motivations can still be consumer and privacy positive.
A little anecdote.
A few years ago I was in a data centre which housed some Google hardware. It was the only gear that was individually under lock and key with access severely monitored and restricted. And this was in an already highly secure setting as the centre covered critical infrastructure (and petabytes of CERN data). I happened to meet a Google employee that was visiting but he looked like a very young, fat, happy hippy with a big bushy beard. Entirely not what I expected. This was in Spain and he had flown in from Poland. A really down to earth relaxed guy with a permanent smile.
Under lock and key inside an already secure facility?
That illustrates the fallacy of those who defend our voting machines that, by design, cannot be audited, verified or recounted and are typically stored in old warehouses and such. They claim: "If it's not connected to the internet it can't be hacked." and then walk away with a satisfied smile thinking the issue is all settled and resolved.
https://federated.withgoogle.com/
Epic Systems, a major medical records vendor, is warning customers it will stop working with Google Cloud
https://www.cnbc.com/2020/01/17/epic-systems-warns-customers-it-will-stop-supporting-google-cloud.html