Android phones can now be security keys for iOS devices
In April, Google announced that it was making secure access keys available on its Android phones. These software-based keys are based on the FIDO2 standard, which is a community attempt by several industry players to make secure logins easier.
Instead of having to remember a password when logging into a website, you can use a digital key stored on a piece of suitable hardware. Google and other vendors offer small hardware dongles that connect either via a computer’s USB port, or via Bluetooth. Your browser reads the digital key from the device and sends it to the website to prove that you’re legit.
Letting users store this digital key in their Android phones turns it into a secure access device that requires you to be in physical control of your phone to authenticate to a site on your computer. By using the Bluetooth connection in their phones, they can authenticate themselves when logging into Google services.
These phone-based keys also stop phishers from mounting man-in-the-middle attacks. The phone stores the key against the URL of the website it’s trying to access so it isn’t available to the wrong (phishy) URL.
The key-on-a-phone feature already worked with Google Chrome on the ChromeOS, macOS, and Windows 10 platforms. Now, Google has opened it up to iOS as well. It had to tweak things a little because the Chrome browser on iOS uses a different, Apple-mandated browser engine called WebKit rather than Chrome’s default Blink engine.
Instead of using Chrome on iOS, Google uses Smart Lock. This iOS app lets you sign into your Google account if you have a security key.
The service makes Google even more secure for iOS users, but the catch for now is that it only works with Google services. To make Bluetooth access between the Android phone and the user’s computer as seamless as possible, Google introduced a new technology that eliminates the need to pair the computer and the phone via Bluetooth.
The fast Bluetooth connection technology makes for quick, seamless access, but it hasn’t been standardized yet. The company has submitted it to the FIDO Alliance, but standardization will take time. Google product manager Christiaan Brand hopes that:
Once that is standardized, then we’ll see other websites and other browsers can implement this same thing and also allow that for their website.An Android-based security key might be a handy tool for iOS users who made the switch but still have their old Android phone lying around, or perhaps people who use different phones in their work and personal lives.
The alternative to using your Android phone is to just buy an NFC-enabled key for the iPhone. Google’s key uses Bluetooth and has had problems recently. Yubikey’s uses NFC, and the company is also working on a version that plugs into the Lightning port on iOS devices
via nakedsecurity
