Mobile devices running on Android 7.0 or higher can now hold two factor authentication (2FA) security keys, following Google’s release of a new android security feature in beta.
This means that any android device running version 7.0 or above can operate in the same manner as a 2FA USB-based security key.
The new security key feature being trialled on Android devices uses Bluetooth to communication with the device you are trying to connect to. A notification will be sent to your device requesting that you confirm it is indeed you who wishes to sign into that particular account.
If the user tries to log into a website that is not an authentic Google site then the system will refuse the request for the security key causing a failed login attempt.
Google is designing their security keys on the well-established FIDO protocols, which they also currently use for their own 2FA USB-based Titan Security Key.
The FAST Identity Online (FIDO) Alliance was launched in 2012 with the aim of tackling issues users had managing multiple passwords across the internet.
With FIDO the authentication is done by a client device which proves it holds the private key. The user can unlock the key locally by using a password, finger swipe or a biometric login. Once the key is unlocked it is then used to login to a service by issuing a challenge to the site.
Google Cloud Identity and Security head Christiaan Brand has previously given talks which give a more detailed explanation of the companies 2FA security or as Google referees to it Two-step verification (2SV).
Android Security Keys Tackle Phishing Attacks
In 2017 Google pushed all of its employees to use 2FA security methods and issued nearly all of its employees with USB-based keys. These keys replaced one-time codes and password security as the norm at Google.
These security measures appear to have been highly successful as Google stated last year that none of its employees, numbering above 85,000 at the time, had fallen victim to a phishing attack.
Arnar Birgisson Software Engineer & Christiaan Brand, Product Manager commented in a security blog that: “At Google, we automatically block the overwhelming majority of malicious sign-in attempts (even if an attacker has your username or password), but an additional layer of protection can be helpful.”
“While any form of 2SV, like SMS text message codes and push notifications, improves the security of your account, sophisticated attackers can skirt around them by targeting you with a fake sign-in page to steal your credentials.”