Google will now allow iPhone users (iOS 10+) to use their mobile device as a security key to authenticate themselves when logging in to their Google Accounts. This brings iPhones in line with Android phones, which have harbored built-in security keys since last April.
While this new functionality can be used by any iPhone user as a two-factor authentication (2FA) mechanism, today’s launch is also notable due to its ramifications for Google’s Advanced Protection Program, which is designed specifically to protect accounts most at risk of being hacked — such as those belonging to political campaign teams. The upcoming U.S. Presidential election faces threats on multiple fronts, a fact that has led all the big tech companies to rejig their platforms to avoid abuses, and it’s against that backdrop that Google is now broadening its security smarts to better support iPhone users.
Advanced protection
Google first announced its Advanced Protection Program back in October, 2017, as a way for individuals — such as journalists, political campaigners, and activists — to protect their Google accounts from hacks. The program focuses on three key security mechanisms: it provides phishing protection by requiring a physical security key to access a Google account via two-factor authentication (2FA), limits access to Gmail and Google Drive to other apps from Google and select third-parties, and requires extra verification steps for when an account recovery process is initiated.
The Advanced Protection Program has catered somewhat to the Apple ecosystem, too, with Google introducing support for Apple’s Calendar, Contacts, and Mail app in 2018. This effectively allows iPhone and iPad users to securely synchronize their Google Calendar events with Apple Calendar, or forward messages from Gmail to Apple Mail, for example.
In April last year, Google announced an update that would allow all Android devices (7.0+) to double as a Fast Identity Online (FIDO) security key. This was open to all Google Account users, enabling them to authenticate themselves using their Android phone via Bluetooth on Chrome OS, macOS, and Windows 10 devices. Shortly after, Google extended support to iOS, meaning Android devices could now be used to authenticate Google Accounts on iPhone or iPad too.
The crux of today’s news is that iPhones themselves can also now be used as a security key by any Google Account user, including those who are registered on the Advanced Protection Program. The one notable difference, however, is that while the security key functionality is built directly into Android devices, those on iPhone will have to activate the security key using Google’s Smart Lock app for iOS.
Googler Filippo Valsorda confirmed (spotted via 9to5Google) that its Smart Lock app uses the iPhone’s Secure Enclave feature, which effectively transforms the iPhone into a FIDO key.
It uses the Secure Enclave as a security key, it’s pretty cool.
— Filippo Valsorda (@FiloSottile) January 14, 2020
In summary, iPhones can now authenticate Google Accounts via Bluetooth on Chrome OS, iOS, macOS and Windows 10 devices. This makes it just that little bit easier for those in the firing line, such as politicians and their campaigners, to secure their Google Accounts from nefarious actors. Even if a phishing attempt successfully procures someone’s username and password, this information will be no good if the Google Account requires authentication with a physical iPhone.
It’s worth noting here that while iPhone users could already participate in the Advanced Protection Program, they previously would have needed to buy a physical security key — this not only creates extra friction, but it could also prove costly if a political campaign team has hundreds of staffers.
Author: Paul Sawers
Source: Venturebeat