Now generally available: Android phone’s built-in security key
Software Engineer, Google
Phishing—when an attacker tries to trick you into turning over your online credentials—is one of the most common causes of security breaches. At Google Cloud Next ‘19, we enabled you to help your users defend against phishing with a security key built into their Android phone, bringing the benefits of a phishing-resistant two-factor authentication (2FA) to more than a billion users worldwide. This capability is now generally available.
While Google automatically blocks the overwhelming majority of malicious sign-in attempts (even if an attacker has a username or password), 2FA, also known as 2-Step Verification (2SV), considerably improves user security. At the same time, sophisticated attacks can skirt around some 2FA methods to compromise user accounts. We consider security keys based on FIDO standards, including Titan Security Key and Android phone’s built-in security key, to be the strongest, most phishing-resistant methods of 2FA. FIDO leverages public key cryptography to verify a user’s identity and URL of the login page, so that an attacker can’t access users’ accounts even if users are tricked into providing their username and password.
Security keys are now available built-in on phones running Android 7.0+ (Nougat) at no additional cost. That way, your users can use their phones as their primary 2FA method for work (G Suite, Cloud Identity, and GCP) and personal Google Accounts to sign in on Bluetooth-enabled Chrome OS, macOS X, or Windows 10 devices with a Chrome browser. This gives them the strongest 2FA method with the convenience of a phone that’s always in their pocket.
As the Google Cloud administrator, start by activating Android phone’s built-in security key to protect your own work or personal Google Account following these simple steps:
- Add your work or personal Google Account to your Android phone.
- Make sure you’re enrolled in 2-Step Verification (2SV).
- On your computer, visit the 2SV settings and click "Add security key".
- Choose your Android phone from the list of available devices—and you’re done!
When signing in, make sure Bluetooth is turned on on both your phone and the device you are signing in on. You can find more detailed instructions here.
To help ensure the highest levels of account protection, you can also require the use of security keys for your users in G Suite, Cloud Identity, and GCP, letting them choose between using a physical security key, their Android phone, or both. We recommend that users register a backup security key to their account and keep it in a safe place, so that they can gain access to their account if they lose their phone. Hardware security keys are available from a number of vendors, including Google with our Titan Security Key.