Security keys offer one of the most secure authentication methods for logging into an account -- it requires plugging in a physical key. Many people, however, may not want to pay for an extra security device, or they may simply forget to carry it with them. Now, Google is trying to make this authentication method more accessible by enabling any phone running Android 7+ to serve as a security key to protect personal Google accounts and professional Google Cloud accounts.
"Think of it like a security key in almost every modern Android phone... a very easy-to-use form factor for over a billion users," Rob Sadowski, Google's Trust and Security marketing lead, told reporters last week. "Having that as your authenticator really makes it easy to use and always available."
While any form of two-step verification improves your security, security keys are immune to phishing attacks -- it doesn't matter if a hacker tricks you into handing over your credentials if they don't have your key.
To activate an Android device's security key, a customer just needs a phone running Android 7+ and a Bluetooth-enabled Chrome OS, macOS X, or Windows 10 computer with a Chrome browser.
The software-based solution is based on FIDO standards. Given that a user could lose their phone, Google recommends they register at least two security keys for their account. In addition to offering security keys via Android phones, Google produces the Titan Security Key.