View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Android Security Keys: Now you can Hold 2FA Keys on Your Smartphone

"An additional layer of protection can be helpful.”

By CBR Staff Writer

Mobile devices running on Android 7.0 or higher can now hold two factor authentication (2FA) security keys, following Google’s release of a new android security feature in beta.

This means that any android device running version 7.0 or above can operate in the same manner as a 2FA USB-based security key.

The new security key feature being trialled on Android devices uses Bluetooth to communication with the device you are trying to connect to. A notification will be sent to your device requesting that you confirm it is indeed you who wishes to sign into that particular account.

If the user tries to log into a website that is not an authentic Google site then the system will refuse the request for the security key causing a failed login attempt.

Google is designing their security keys on the well-established FIDO protocols, which they also currently use for their own 2FA USB-based Titan Security Key.

The FAST Identity Online (FIDO) Alliance was launched in 2012 with the aim of tackling issues users had managing multiple passwords across the internet.

With FIDO the authentication is done by a client device which proves it holds the private key. The user can unlock the key locally by using a password, finger swipe or a biometric login. Once the key is unlocked it is then used to login to a service by issuing a challenge to the site.

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

Google Cloud Identity and Security head Christiaan Brand has previously given talks which give a more detailed explanation of the companies 2FA security or as Google referees to it Two-step verification (2SV).

Android Security Keys Tackle Phishing Attacks

In 2017 Google pushed all of its employees to use 2FA security methods and issued nearly all of its employees with USB-based keys. These keys replaced one-time codes and password security as the norm at Google.

These security measures appear to have been highly successful as Google stated last year that none of its employees, numbering above 85,000 at the time, had fallen victim to a phishing attack.

Arnar Birgisson Software Engineer & Christiaan Brand, Product Manager commented in a security blog that: “At Google, we automatically block the overwhelming majority of malicious sign-in attempts (even if an attacker has your username or password), but an additional layer of protection can be helpful.”

“While any form of 2SV, like SMS text message codes and push notifications, improves the security of your account, sophisticated attackers can skirt around them by targeting you with a fake sign-in page to steal your credentials.”

See Also: Android Gets FIDO2 Support: Death to Passwords?

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.