Recently I received a notification in Google to setup my phone’s “built-in security key” for 2 step verification (aka 2FA).
According to a 2019 Google post, the built-in security key is one of “the strongest, most phishing-resistant methods of 2FA”.
This security key functions like physical Yubikeys and is similarly based off FIDO standards.
FIDO leverages public key cryptography to verify a user’s identity and URL of the login page, so that an attacker can’t access users’ accounts even if users are tricked into providing their username and password.Brand, C. & Birgisson, A. 2019 “Now generally available: Android phone’s built-in security key”
How It Works
This security key is built-in for both Apple and Android phones, and available at no extra cost. This makes it an attractive alternative for anyone not looking to spend $40-$100+ on a physical authenticator key (such as Yubico or Google’s own Titan Security Keys).
When signing in, the devices need to be close together in order for the built-in security key to work, with both Bluetooth and Location Services turned on.
This does mean that it’s limited to devices with a Bluetooth connection, whether that is built-in or via Bluetooth adaptor. Problems might be encountered in areas with densely overlapping Bluetooth coverage.
Location Services being required could also pose problems in locations with poor GPS signal reception, notably underground areas but also canyons or dense forests. As a general rule, GPS signal strength is most affected by:
- satellite geometry
- signal blockage
- atmospheric conditions
- receiver design features/quality.
It can be used to authenticate sign ins on Chrome OS, iOS, macOS, and Windows. If you use Chrome or any Apple device, you’re in luck. In 2022, Microsoft Edge is also supported.
Everyone else – not so much. Android is unfortunately excluded from that list, as are other browsers. But even as someone who avoids using Chrome whenever possible – I do still have it installed. So just having it on should still be better than not, right?
While opting in was easy enough, the built-in security key was now set as the default 2 step verification – even on unsupported platform logins (Mozilla Firefox browser, Android sign-in).
After entering my password I was told to check for a prompt on my phone that never came up (as wasn’t a compatible platform for verification).
Each sign on now required an additional step of choosing my usual 2FA method. As I rarely sign in on Chrome and don’t use any Google desktop apps, I’ve opted out for now.