You must have heard of Google’s two-factor authentication and a large number of you people out there are definitely putting it to great use. Apparently, it is Google’s protective measure to protect your accounts from all sort of phishing attacks and hijacking and therefore, keep your accounts and contained secure and safe. Google has now added another feature in its series of two-factor authentication methods and this time it has tried to cover up the loopholes it left loose in the previous 2FA-methods.
Google has recently added your phone as a security key for logging in to your accounts, thus making it difficult for attackers to hijack your account without physical access to your phone. How different it is from other means of 2FA and how it ensures more security?
Two-Factor Authentication with Google
Google has been keen on keeping user data safe for a long while now. The most common form of two-factor authentication was SMS verification. You add up a number to your Google Account and every time you wish to log in any of the Google services you’d be asked to enter a six-digit passcode received on your verified phone number.
Though it was thought that this would prevent any kind of breach, phishing attackers somehow found a way to access that code. Either by sending fraudulent emails demanding your passcodes or by breaching servers of network operators. So, Google leaped towards advanced two-factor authentication via Google Authenticator application.
Google Authenticator was initially released in 2010, it never crossed people’s head until a lot longer after that. Google’s Authenticator is a mobile application installed in users’ mobile phones, which generates random six-digit codes to provide login access to you on your Google services or any other app which support third-party app authentication, such as Facebook. That six-digit code remains a secret as Google Authenticator does not connect with the server, apart from the time you are registering the account by scanning a QR-code. What happens is that the app syncs a key with the account and that key then uses time-based factors to change the password frequently. Hence, you get a new one-time password from that key on different instances, even without being connected to a server.
Though Authenticator was widely accepted as a reliable 2FA medium, Google, in 2016, launched Google Prompt, another two-factor authentication that requires a connected mobile device to have access to logins. Prompt, as the name suggests, creates a screen-prompt on your mobile device whenever you log in to your Google Account, which asks you “Is It You trying To Sign In”. Along with the question, it tells you what device you are using for logging on along with time and estimated location. Tap “Yes” to grant access, or “No” in case it isn’t you.
Then in 2018, Google launched Google Titan Security Key, a USB, mobile USB, or Bluetooth key which needs to be connected to the device first to authenticate your login attempt. Without the device, there’s no way you can access services by logging in. It was meant to be the strongest line of defense against phishing attacks and account hijacking.
And now, Google has gone one more step ahead to secure your logins.
Google’s New Mobile Bluetooth-based Two-Factor Authentication
In the newly launched 2FA security measure, Google has now added another device to its series of security keys, and this time you won’t have to buy it separately from the store. Google has added your phone as a security key by adding connectivity between your phone and the other device you’d access your account in via Bluetooth. So, as you connected Google Titan with your accessing device via Bluetooth, you’ll now connect your mobile phone via the same Bluetooth and will use it as a google security key.
Requirements to Set Up Built-In Security feature for Google 2FA
Before you even begin, there are a few requirements to enable and use this feature:
- First, your device should at the very least have Android version 7, which Android Nougat installed in. Any version below Android 7 (or any other OS) would not support this feature.
- This feature would only work if you use Google Chrome as your web browser for accessing your Google Account. Though, the browser can be opened on any OS to enable this feature; however, you can’t use it if you use Microsoft Edge or Safari as your preferred web browsers.
- Both the mobile and the computer device should have in-built Bluetooth and GPS (which is not a problem in newer versions of desktops and laptops).
How can you make your Phone a Google Security Key?
So, first you need to login into your Google MyAccount, as you normally do, that is via SMS verification or Google Prompt or maybe directly without 2FA for that matter. Once you do that, click on Get Started button under the option, “We Keep Your Account Protected”
Once that’s done, you’ll be transferred to the Google Security Checkup window. Once there, click on 2-Step Verification button.
Once you click on that button a drop-down menu will show you the details of your current 2-Step verification features. Look for 2-Step Verification Settings option there and open that link.
Then login to your account and scroll down the window to find Security Key option among other 2FA methods. Click on Add Security button.
Clicking on that would pop-up another option panel, where you’ll select the security key you want to set up.
Now, in case you already own Google Titan, you are already set. But in case you don’t, Google’s new feature would let you add your phone as an in-built security key.
Once you move ahead, Google would ask you to turn on your mobile GPS and Bluetooth on. Make sure you do that and then click on ADD button.
And that’s it. Once you click on that ADD button, you’d have successfully added your mobile device as an in-built security key.
And, in case you ever wish to remove this device, the simple Trash icon to the right does the job.
Is it Better than the Previous 2FA Methods?
Well, the answer is yes. The SMS-verification as 2FA has a number of vulnerabilities. This is because the messages are sent on operator networks and can be traced and hijacked. So, that was never the best 2FA option, especially for business accounts. Then, Google Authenticator and Google Prompt. While Google Authenticator is a viable option, Google Prompt would be of no use in case the phone’s damaged. However, both Google Authenticator and Google Prompt can be subjected to misuse if the phone’s stolen and its screen lock is breached (which, is not that tough for someone with moderate knowledge of mobile technology).
Then there is Titan. A $50 dongle and you’ll require three of them to support all sorts of devices. Yes, it’s highly secure, but in case it’s lost (given its small structure), your accounts are toast. Consider all of them has gone and recovering them by contacting Google support is a complicated and time-consuming task.
Why another Two-Factor Authentication Method?
Google has been under heavy scrutiny and has been imposed a lot of fines due to its negligence towards user data security, especially in Europe. GDPR authorities have regularly criticized Google’s failure in keeping user data secure. So, this new feature is one of those consumer satisfaction attempts, which may help Google clear its image among the public. Moreover, with a majority of public relying on Google for Account services, its Google’s sole responsibility to keep that section satisfied and protect their identity all the time.
Will it be Successful?
Given Google’s nature, there are high chances it will find success and popularity. But again, any damage to your mobile phone or in case of theft, your accounts will be gone likely forever. Plus, the whole point of Google’s in-built Security key feature is to prevent an attacker from hijacking your account without having your phone nearby. So, you got to keep your phones close, as the feature would require both mobile phones and your login devices in close vicinity, which would be monitored by the GPS location.
Finally, a word of advice, keep at least one trusted device saved as an alternative for two-factor authentication in case you lose your phone. Losing your phone or your security key is a common problem in case of 2FAs. Keeping at least one trusted device would allow you log in to your accounts without passing any 2FA aspect, and then you can remove stolen key and SMS verification from Settings.
Google’s new in-built security key feature is only available on Android devices yet and would only work on Chrome for a while. When it will support other apps such as Facebook and other platforms, Google has not revealed yet. Google is currently looking at all aspects and is still monitoring the feature for potential loops. How really successful this is going to be is better-off left to time.