Google has announced a new initiative to push two-step verification (2SV) to as many users as possible, by baking the functionality directly into Android smartphones in place of requiring physical dongles.
Two-step verification (2SV), a variant of two-factor authentication (2FA), is designed to protect against attackers who know your username and password by requiring something else before the account can be accessed. The 'something else' can take a range of forms, from codes sent via SMS message - vulnerable to interception or SIM-cloning/transfer attacks - or generated using an algorithm shared with the server to physical dongles with onboard secure enclaves. The latter of these is, naturally, more secure, but requires that the user care enough about their security to splash out cash on a physical device - unless you have a recent Android smartphone, that is.
Extending its previous Google Authenticator application, which generated a constantly-changing log-in code known only to the user and the server, Google has announced that it is adding 2SV support to Android 7.0 and above - allowing smartphones and tablets to act as a physical security key without the need to own dedicated hardware.
The system, launched this week in beta form, is compatible with any Windows 10, macOS, or Chrome OS desktop or laptop with a functional Bluetooth connection. Accounts which have 2SV enabled can be linked to an Android 7.0 or above device on the same account; when a login request is made the user is prompted on the handset, and must confirm by pressing a button on selected Pixel-branded devices or confirming on-screen for other handsets.
The built-in 2SV support comes after Google launched its own Titan security key, based on the earlier Fast Identity Online (FIDO) standard rather than the newer FIDO2 standard adopted by September's YubiKey 5. Information on how to enrol on the Android 2SV beta and activate it on a Google account can be found from the official announcement.
February 27 2020 | 11:00