Last April, Google announced that users could use the chips inside their Android smartphones as a de-facto security key for their Google accounts.
Starting this week, Google has expanded this feature to iPhones.
Google users will be able to register their iPhone as a two-factor (2FA) method for their Google accounts, similar to how they register hardware security keys.
The next time they'll log into their Google accounts, the user will enter their username and password, and then turn on their iPhone's Bluetooth connection, which will verify the login attempt similar to a hardware security key.
According to Google, to set up an iPhone as a security key for a Google account, users will need an iPhone running iOS 10 (released in Sep 2016) or later.
In addition, iPhone users will also have to install Google's Smart Lock app (v1.6 or later), which was updated on Monday to support iPhones as a 2FA method.
A step-by-step tutorial on how to set up your iPhone as a security key for your account is available in this Google support document.
Under the hood, an iPhone will be able to work as a security key because of Apple's support for secure enclaves in its T1 chips, which started shipping with Apple devices in the fall of 2016.
The secure enclaves allow the iPhone to compute cryptographic operations in a secure environment, similar to how hardware security keys work.
Updates to Google's Advanced Protection Program
With today's expansion, Google is now letting users replace hardware security keys with their phones. This change will also trigger a modification to Google's Advanced Protection Program (APP).
The APP is a program at Google for users facing higher security risks than others -- such as politicians, business executives, and journalists. These users can enroll in the Google APP and benefit from extra security protection features, provided by Google at no extra cost.
Before making Android and iPhone smartphones de-facto security keys, Google users needed a separate hardware security key to enroll in the program.
Now, that Androids and iPhones can work as security keys, this won't be necessary anymore, and users will be able to sign up for the APP just with their phones, making it easier for more users to sign up, especially in countries and regions of the global hardware security keys are not ubiquitously available for purchase.
The move is more than welcome on Google's part. In a joint study conducted with The Harris Poll, the two companies surveyed 500 high-risk users living in the US, including politicians and their staff, journalists, influencers, and business execs. According to the survey's results, it was clear that this category of users was facing more security threats than others, and that they needed any extra protection they could get:
- 74% report having been the target of a phishing attempt or compromised by a phishing attack; of those, 72% say that attack was tailored to them
- 65% report being more concerned about their online accounts being hacked today compared to one year ago
- 46% agree that they have not changed how they keep their online accounts secure from hacking because it's too complex or too inconvenient
- 60% of politicians have not significantly updated how they secure their online accounts from hacking following the 2016 DNC breach