Following an update to Google's iOS Smart Lock app, iPhones can now be used as a Fast Identity Online (FIDO) security key. This replaces the physical hardware keys previously required — and brings the iPhone into line with Android phones.
Users with Google accounts using the company's highest security features can now use an Apple iPhone to authenticate themselves when logging in via Chrome. Google's Smart Lock app now leverages Apple's secure enclave to allow an iPhone to act as a two-factor authentication key.
Two-factor authentication gives stronger protection than the more familiar two-step verification, where a user typically gain access via entering a code sent separately. That system relies for security on your being the only person who knows the code that's been sent to the user.
Two-factor authentication can instead rely on the user possessing a device or a physical key. For the iPhone to act as the key, it has to be physically close to the device that is being used to log in.
Consequently, with this stronger security, the Google Advanced Protection Program previously required either a separate, physical hardware key — or an Android phone.
Hardware keys could be expensive, especially if needed for a large team of people, but now the service is free for iOS via Google Smart Lock 1.6 for iOS. The latest update to this adds the ability to "set up your phone's built-in security key, the best second factor protection for your Google Account."
It uses the fact that recent iPhones have a secure enclave. After it's been set up, the secure enclave contains your Touch ID fingerprint or Face ID information. When Google needs to verify your logging in to your account, it can check with the secure enclave that your face or fingerprint match.
So the iPhone itself becomes the hardware key that you can use to unlock your Google Account. This brings iPhones running the latest iOS 13 into line with Android 7+ phones, which gained the facility in mid-2019.
The feature is intended for high-profile users or ones with sensitive data on their Google accounts. As well as requiring higher-security authentication for a user to gain access to their Google account, the service also limited the ability of other apps to do so.
In 2018, Google added the ability for Apple's core Mail and Calendar apps to sync with Gmail and Google Calendar after authentication.
27 Comments
FIDO is a convoluted and weird spec where you have a master key that decrypts a site key that is actually stored on the site.. but guess if they can make the apps simple and available enough it might catch on. personally would prefer something like SQRL.