You don’t need for an app for this. Google has made it possible to use your iPhone as a two-factor authentication key, just as it did last year for Android phones.
Two-factor authentication adds an extra layer of security to account log-ins. It’s most commonly encountered as a one-time passcode texted to your phone. That form of 2FA, while certainly more secure than single-factor authentication, is susceptible to SIM card jacking. Alternatively, many people use a phone-based authentication app that generates a passcode, or a physical hardware key that uses Bluetooth, NFC, or USB.
2FA is gradually becoming more widely available and adopted. But despite nearly every cybersecurity expert agreeing that it makes account log-ins more secure and resistant to phishing and credential-stuffing attacks, it remains an option instead of a default for major online services and apps, and most consumers barely know what it is. While there’s no indication of how many people worldwide use it, fewer than 10 percent of Google account users had activated it by January 2018, the most recent figure available.
Google is trying to change that, at least with its users.
READ MORE ON TWO-FACTOR AUTHENTICATION
Poor security, not just password reuse, to blame for Disney+ breach
How to move your two-factor authentication app to a new device
How to use your Android as a 2FA key
Primer: How to lock your online accounts with a security key
How YubiKey could double-lock your online accounts
How to set up two-factor authentication
Emily Schechter, product manager for Chrome Security, said at the company’s I/O 2019 developer conference that since Google mandated in 2018 that all of its employees use a hardware 2FA key, none of their Google accounts has been successfully phished.
“Here at Google, there has never been a successful phishing attempt on a Googler since we implemented security keys,” she said.
But forcing your employees to carry around another device is one thing; getting consumers to buy, set up, and use a USB stick for the single purpose of account security is another. So how is Google planning to increase consumer adoption of 2FA? It’s making the multipurpose device they’re already carrying around the second authentication factor.
Google’s phone-as-second-factor technology does not offer account protection as robust as standalone two-factor authentication hardware keys, which can be used with a variety of online services, including Twitter, Facebook, Amazon.com, Dropbox, and Apple. And getting consumers to set it up is still very much an adoption hurdle.
Because Android is built by Google, the latest Android devices come with the feature built in, albeit not set up. iPhone users must download Google’s Smart Lock app to run the feature on iPhone. The app uses the iPhone’s passive Bluetooth signal, without pairing, to verify the user’s identity when signing into Google accounts on Mac OS, iOS, Windows 10, and Chrome OS.
The Smart Lock app uses the iPhone’s built-in Secure Enclave as the security key. Secure Enclave is a hard-to-hack chip Apple designed and started integrating in iPhones in 2013. “It’s pretty cool,” tweeted Google security engineer Filippo Valsorda, who added that it adheres to FIDO 2.0 security standards.
To set up your iPhone as a second-factor hardware key for your Google account, you can follow these four steps.
Step 1: Ensure that you have set up a Google account on your iPhone. If you haven’t already done so, go to the Settings on your device. Choose Accounts, Add account, and then select Google.
Step 2: Ensure that you have two-factor authentication set up on your Google account. If not, go to Google’s two-factor authentication setup page, and follow the instructions. You’ll be asked to log in to your Google account and enter your phone number for SMS confirmation.
Step 3: On a laptop or desktop, open a Chrome browser, and go to myaccount.google.com/security. Click on “2-Step Verification.”
Step 4: Scroll down the list of choices for receiving the second key, and select “Add Security Key.” Your phone should be listed as an option. Select it.
Step 5: If you haven’t already, your phone will prompt you to install the Smart Lock app. The app will prompt you to allow it to send you notifications, which must be allowed for the app to work.
Afterward, when you log in to your Google account on a separate device, it will prompt you to verify your sign-in by tapping the Yes button that pops up on your iPhone via the Smart Lock app.
Disclosure: Yubico provided The Parallax with a two-factor authentication YubiKey.