If you own a Pixel 3, there’s a small bonus, too.
Google has enabled a two-factor authentication: using your phone as the near equivalent of a physical security key.
You should already be familiar with two-factor authentication: two-factor authentication is a way to prove that you’re the person you say you are. For example, you call to your bank and the bank ask you some questions that only you know in order to prove that you’re the person that is calling. Something like this is two-factor authentication.
Another way is that you setup your phone number as a two-factor authentication by sending you an SMS in order to receive a code that only you can receive in your phone to know that you are you said you are.
Google’s new use of an Android phone as a “hardware dongle” is almost, but not quite, the same. Instead of sending a notification to an app on your phone—which an attacker could access if you lost the phone and they knew your PIN code—the website or service tries to connect to your phone via Bluetooth. Google’s new 2FA method doesn’t require a dongle to be physically inserted into a PC, but since Bluetooth’s range is relatively short, the odds of an attacker accessing your unlocked phone while remaining physically near your PC are relatively low.
Otherwise, the way in which this two-factor authentication works should be familiar: You log in, the service sends a “Are you trying to sign in?” request to your phone, and then you confirm that yes, it’s you. Right now, Google’s new authentication is confined to its own services like Gmail and G Suite, and requires a phone running Android 7 or above. There’s no indication of this being tied to WebAuthn to enable 2FA on websites, though.
Google’s security page details the steps that are required:
- Enable two-factor authentication, if you have not already, on the web service in question.
- On your Android phone, go to myaccount.google.com/security.
- Under “Signing in to Google,” select 2-Step Verification.
- Scroll down to “Set up an alternative second step.”
- Select Add Security Key > Your Android phone > Turn on.
There is one bonus for users who own a Pixel 3: Instead of actually requiring you to unlock your phone, you can (optionally) just tap the volume-down button to confirm the authentication request.