Now you can use Android devices as security keys for iPhones, iPads

[The AchieVer]

Now you can use Android devices as security keys for iPhones, iPads

Google looks to add an extra layer for security for Apple's devices.

 

Android devices versions 7.0 and up can be used to verify logins on iOS devices, Google announced on Wednesday.

Lynn La/CNET

You can start using an Android phone as a security key for your iOS devices, Google announced on Wednesday. The expansion comes nearly two months after Google first unveiled the security feature for more than a billion Android devices. 

 

Security keys are one of the best ways you can protect your accounts from hackers, but convenience and adoption has always been a major roadblock. Google hoped to tackle that by allowing Android devices versions 7.0 and up to function as security keys. Despite that feature being available to half of all Android users, only about 100,000 people accessed it in its first month, a Google spokesperson said.

 

It's not different from two-factor authentication for Gmail, which only about 10 percent of people actually use.

 

Security keys have obvious benefits: Even if a hacker steals your password and login, unless he or she also stole the physical key, your account would still be safe. Also, if you were typing in your credentials on a phishing website, the security key would detect it and warn you about the fraudulent page. 

 

When Google first announced Android phones as security keys, it noted that it was only working on Chrome browsers and Google accounts, but it expected to expand availability. It already works over MacOS by using the Chrome browser, but for iOS devices, Google will require people to use the Smart Lock app instead.

 

Your Android device and the iOS device you're trying to log in on communicate through Bluetooth with the FIDO authentication standard. 

 

The expansion for Android phones as security keys adds another layer of security for iOS devices, as Apple also announced privacy protections with logins at WWDC. Sign-In with Apple allows people to log onto other services without providing their email addresses and passwords, and works with biometrics like Face ID and Touch ID instead. 

 

Like security keys, biometrics offer an extra level of protection, as it's much harder for hackers to remotely steal your fingerprints or your face. 

 

 

 

Source

[Karlston]

I’ll be passing on Google’s new 2fa for logins on iPhones and iPads. Here’s why

If using Android to log in to Google from an iPad sounds complicated... you're right.

Enlarge

Google

Google is expanding its new Android-based two-factor authentication (2fa) to people logging in to Google and Google Cloud services on iPhones and iPads. While Google deserves props for trying to make stronger authentication available to more users, I’ll be avoiding it in favor of 2fa methods Google has had in place for years. I’ll explain why later. First, here’s some background.

 

Google first announced Android’s built-in security key in April, when it went into beta, and again in May, when it became generally available. The idea is to make devices running Android 7 and up users’ primary 2fa device. When someone enters a valid password into a Google account, the phone displays a message alerting the account owner. Users then tap a "yes" button if the login is legitimate. If it's an unauthorized attempt, the user can block the login from going through.

 

The system aims to tighten account security in a meaningful way. One of the key causes of account breaches is passwords that are compromised in phishing attacks or other types of data thefts. Google has been a leader when it comes to two-factor protections that by definition require something in addition to a password for someone to gain access to an account.

 

Among the strongest forms of 2fa available from Google are cryptographic security keys that connect to a computer’s USB slot. These keys are based on standards from the industry-wide FIDO alliance. They’re extremely reliable and virtually impossible to be phished. Later versions that used low-energy Bluetooth or near-field communication worked natively with Android devices but so far have been a nonstarter with iOS users, who complain the devices don't always work reliably.

 

That has left Google scrambling for another FIDO-sanctioned way for the masses to do 2fa. And that’s where Android built-in keys come in. Unfortunately, there are key drawbacks to this method as well. First, it relies on Bluetooth, and all its maddening glitches, for the phone to communicate with the macOS, Windows 10, or Chrome OS device the user is logging in to. Second, it also works only when people log in to an account using Google’s Chrome browser. Other browsers and apps are out of luck. Another shortcoming was that Android keys weren’t available to users logging in from an iOS device.

 

On Wednesday, Google is addressing this last drawback with a new method that brings Android keys to iPhone and iPad users. It relies on the Google Smart Lock app running on the iOS device that communicates over Bluetooth with the built-in key stored on the user’s Android phone or tablet. (The app, which is also used to make FIDO-based crypto keys work with iOS devices, has user ratings of just 2.2 out of 5.) Google has additional instructions here. Company representatives declined to provide interviews for this post.

Thanks, but no thanks

I spent about 90 minutes trying to get the method to work between an iPad mini and a Pixel XL. I had no trouble setting up Android’s built-in key and using it to authenticate logins from a macOS computer to both a personal Google account and a work account provided by G Suite. Alas, I was never able to get the Android keys to work when logging in to either account on the iPad mini. It was a frustrating experience, but at least it was progress. Ars Reviews Editor Ron Amadeo told me he was unable to get even the Android piece to work when he tried several weeks ago.

 

I won’t rule out the possibility that the failure is at least in part the result of user error. But that’s not the point. If people from a tech site struggle, so, too, will Aunt Mildred or Uncle Frank in Poughkeepsie. And given Bluetooth’s above-mentioned quirks, it seems entirely plausible that our inability to get Android’s built-in keys to work was the result of a failure of the devices to connect over this wireless channel.

 

And as long as we’re talking about Bluetooth deficiencies, let’s not forget that Google recently warned that the Bluetooth Low Energy version of the Titan security key it sells for two-factor authentication can be hijacked by nearby attackers. The weakness doesn’t automatically mean Bluetooth is insecure, but it does suggest that the channel may be less suited for highly sensitive security protocols than some engineers recognize.

 

So for the time being, I have no plans to use Android keys when logging in to Google on my iOS devices. Instead, I’ll continue to use Duo Mobile’s authenticator feature (Google Authenticator works almost identically), as I have for a while now. This mechanism isn’t perfect. The one-time token numbers are short-lived, but they can still be obtained by quick-moving attackers who enter credentials into a real Google account immediately after a target enters them in to a look-alike phishing site. That scenario may help explain how Iranian hackers recently managed to bypass 2fa protections offered by Yahoo Mail and Gmail.

 

Another 2fa option for iOS users is Google prompt, which has been available for more than a year. Unfortunately, that protection, too, can be abused by quick-acting phishers.

 

So thanks, Google, for trying so hard to bring easy-to-use 2fa to more users. But I’ll pass on this latest offering until the industry gets this mess sorted out.

 

 

 

Source: I’ll be passing on Google’s new 2fa for logins on iPhones and iPads. Here’s why (Ars Technica)