
Your Android Phone Is a Security Key - arusahni
https://blog.google/technology/safety-security/your-android-phone-is-a-security-key/
======
sakisv
I like the idea behind it in principle, since it will simplify 2FA for the
masses and may lead more people to adopt it.

But, apart from that: 1. It's only on Chrome (for now(?)) 2. It's only for
Google products (for now (?)) 3. It's only on Android that Google fully
controls remotely (and probably it will stay there).

All these give even more power to Google at the expense of convenience and
allows a single company to define "how things should be done".

And I should clarify that I am not against this tech specifically. If
anything, I think Google has some of the brightest minds, so _technically_ I'm
sure that the product will be great.

The problem is that with great power comes something that Google (as a
company) seems to be lacking lately.

~~~
peterwwillis
The problem isn't even Google, it's just lack of actual support for services
that need it. You have to have the right client, the right device, _and_ every
website has to implement it.

Government websites won't support it, nor most financial services, your gym,
school, job, etc. Sensitive records like your SSN will be kept in walled
gardens accessible by a simple user and password, and maybe a security
question. Most people will still be at significant risk of exposure because
the real targets of information theft aren't logged into by end-users.

But your Gmail account will be _locked down_.

~~~
Bluestrike2
Admittedly, that's not a minor benefit. If someone has access to your Gmail
account, there's all sorts of information there they can use to engineer
access to other services.

The naive optimist in me wants to think that making security keys accessible
to more users, and getting them used to them, will lead to pressure for other
services to follow suit. But then I think about how long people have been
criticizing banks for ridiculous password policies that are seemingly
universal in the industry, and I know better. Or bad security practices at
organizations in general. I'd very much like to be proven wrong.

~~~
godelski
I mean the problems I have with banks are 1) you type your username and
password on different pages 2) password limits of like 20 chars.

We're in a day and age where people should be using password managers (even my
tech illiterate parents use them). So why are character limits set so low? I
want my bank password locked down. And we're in an day and age where (1)
shouldn't even be an issue. I'm not sure what other issues people face, but
I've seen these patterns with multiple banks.

I think banks get lip more because they are a clear case where security should
be VERY high. Just like you should protect your email strongly (note google
does (1)[0]).

[0]
[https://screenshots.firefox.com/v9AjmrW7jtr1aGg3/accounts.go...](https://screenshots.firefox.com/v9AjmrW7jtr1aGg3/accounts.google.com)

[0'] If someone is an actual security expert, I'd like to know why (1) is an
acceptable practice. (My bank does it, but they pass you to the password page
no matter what you type in, which seems safer than what google is doing)

~~~
indecisive_user
>If someone is an actual security expert, I'd like to know why (1) is an
acceptable practice.

So your issue here is that Google tells you whether it's a valid email address
before you enter in a password?

You could validate email addresses yourself by sending out a ton of emails to
different permutations of *@gmail.com and seeing which ones come back as
undeliverable. An email address on its own isn't inherently private so this
doesn't seem to be a security risk to me unless I'm missing something.

~~~
deathanatos
I interpreted the parent's complaint in (1) as the login form having the
username/password entries split across two screens, not as a complaint that it
tells you the account doesn't exist.

AIUI, splitting the entry across two screens like that breaks a lot of
password managers, as they can't handle it. This hampers the adoption of
password managers, which would largely help the average Joe's security.

Google supports external auth in some cases¹, and to know whether they need to
redirect to that auth, they first need your username / email. Then, you're
either redirected or you're shown the password entry prompt.

I don't know of any banks that do this, so this might not be applicable to
them. (Theirs might just be bad design.)

¹GSuite, not consumer GMail, but I assume the flows are the same

~~~
godelski
You both addressed different parts to my complaint, so thank you both.

I'm definitely dumb enough to not realize that email login might be a special
case because you can check username validity another way (sending emails). And
I didn't know that GSuite had external auth.

These split pages don't actually break lastpass, at least for me. One field is
still called username and another is called password, so they fill properly.

------
drexlspivey
Or you can just use [https://krypt.co/](https://krypt.co/) which uses the same
FIDO standard, is open source, works on both android and iOS (where it
actually uses the secure enclave) and both in Chrome and Firefox

~~~
trulyrandom
An important caveat with Krypton is that while it is open source, the
published source is essentially useless because it is not licensed under a
free license.

~~~
int_19h
That should be sufficient to audit the code, and verify that the binaries
distributed via app stores are actually compiled from it, no? For a security
app, it's pretty useful.

------
doughj3
> Now, you have one more option—and it’s already in your pocket. Starting
> today in beta, your phone can be your security key—it’s built into devices
> running Android 7.0+.

You know, it's nice they phrase this as an "option", but in my experience
Google has the habit of forcing me to have my phone on me when I login from a
new location / new device, something I never asked for and apparently cannot
disable.[0] This has locked me out of my Google account more than once which
also locks me out of anything that sends 2FA to my Gmail or Gvoice. I guess
I'm thankful that I've learned this in non-emergency scenarios, as I'm now
prepping to degoogleify myself, but it's a user-hostile in my opinion.
Security always has convenience trade-offs, but let the user decide where they
want to draw that line.

[0]
[https://pbs.twimg.com/media/D3WJ0UdXkAASs_O.png](https://pbs.twimg.com/media/D3WJ0UdXkAASs_O.png)

~~~
icebraining
Google has always given me other options, does it really enforce having a
phone now?

~~~
doughj3
I don't know how they determine what options to offer, but using my phone was
the only one given, despite entering a _correct password_. The only other
option, which I either found from the "Learn more" link or after exhausting
the "login with your phone" attempts, was to create a support ticket for my
G-suite account which, in this case, would have been slower than returning to
home a few hours later where I had left my phone.

~~~
jgroszko
There's an option on
[https://myaccount.google.com/security](https://myaccount.google.com/security)
to turn off 2-step login.

~~~
doughj3
Sorry for being thick, but I'm not seeing it. This is a G-suite account
(though I'm the only user / admin) so maybe it's different.

~~~
binarycrusader
From my G-Suite account (where I'm the only user / admin), it shows two-step
verification settings here:

[https://myaccount.google.com/signinoptions/two-step-
verifica...](https://myaccount.google.com/signinoptions/two-step-
verification/)

~~~
doughj3
That seems to redirect me to the same page linked earlier in this thread
([https://myaccount.google.com/security](https://myaccount.google.com/security)).
Taking a look in my admin console, it looks like "Allow users to turn on
2-step verification" is unchecked, so presumably 2-step verification is not
enabled for this account. That's exactly what I want, but it seems Google is
failing to abide when they think I'm a "hacker". Other people have had the
same frustrations[0][1] but there is apparently no way to stop Google
requiring additional verification at their whim. Ultimately that means Google
controls when I can and can't login to my account, so it ceases to be a usable
product for me.

I appreciate your help, though!

[0]
[https://support.google.com/mail/forum/AAAAK7un8RUP1RC23nwRZ4](https://support.google.com/mail/forum/AAAAK7un8RUP1RC23nwRZ4)

[1]
[https://support.google.com/mail/forum/AAAAK7un8RUZvZQQfsawrE](https://support.google.com/mail/forum/AAAAK7un8RUZvZQQfsawrE)

~~~
rathish_g
Did you enable 2FA from [https://admin.google.com/](https://admin.google.com/)
for your account ?

Dashboard -> select Security -> Basic Settings -> Two-Step Verification
setting

------
Hamuko
I don't know how I feel about making a device so endlessly hackable a
"security key".

~~~
guelo
All Android devices certified by Google will have a hardware security module
which should keep the keys secure. Some cheap non-certified devices (mostly
Chinese) might not have hardware backed keystores, but I doubt those devices
would be able to run this Google app.

~~~
zimmerfrei
>> All Android devices certified by Google will have a hardware security
module which should keep the keys secure.

Source? I understood that having a HW-backed key store is still entirely
optional for the purpose of Android certification.

On top of that, I noticed some ambiguity on whether a TEE like ARM TrustZone
qualifies as a hardware-grade protection mechanism in the same way a discrete
and dedicated crypto processor is (I think the two technologies provide very
different assurance levels).

~~~
kpU8efre7r
Titan M. They have it built into their Pixel devices much like a tiny mobile
TPM.

[https://www.blog.google/products/pixel/titan-m-makes-
pixel-3...](https://www.blog.google/products/pixel/titan-m-makes-pixel-3-our-
most-secure-phone-yet/)

With that said, I cant find mention of this on the page so it's probably not
leveraging this.

~~~
dgacmu
It is. If you have a pixel you can just use a button press, because the Titan
m can directly sense the button state.

------
markstos
Looks like Google has used the open Web Bluetooth specification (that only
Chrome currently supports) along with the open FIDO Bluetooth spec (
[https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fid...](https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-bt-
protocol-v1.2-ps-20170411.html) ).

A read-only, non-wireless security key like Yubikey would be even more secure,
but this is an improvement over TOTP codes, which can be phished.

This is also better than SMS 2FA, which is prone to phone-number theft.

It's also better than Push notifications for 2FA, which relay on third-party
servers.

This solution uses Bluetooth between your phone and the Chrome browser,
offering a good balance of security and convenience.

~~~
Rafert
FWIW that is a really old spec. The FIDO 2.0 Bluetooth transport is described
at: [https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-
cl...](https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-client-to-
authenticator-protocol-v2.0-rd-20180702.html#ble)

But an article from VentureBeat[0] mentioned it's a new transport called
'cloud assisted Bluetooth Low Energy' or caBLE, which they've submitted to
FIDO for standardization.

[0]: [https://venturebeat.com/2019/04/10/you-can-now-use-your-
andr...](https://venturebeat.com/2019/04/10/you-can-now-use-your-android-
phone-as-a-2fa-security-key-for-google-accounts/)

------
mattjack
They don't make this very obvious but this only works in Chrome. So you'll
have to use SMS codes, the Authenticator app, or backup codes everywhere else.
(edit: they explicitly say so when activating it but not as clearly in the
docs)

~~~
michaelmior
> all you need is an Android 7.0+ phone and a Bluetooth-enabled Chrome OS,
> macOS X or Windows 10 computer with a Chrome browser

~~~
eitland
Heh, Microsoft seems better than Google to support Linux in new products now.
VS Vode is amazing, as is dotnet core.

Who would have thought 5 years ago.

~~~
layoutIfNeeded
Of course they do. This is the “embrace” phase.

~~~
Dylan16807
I could see an argument about WSL being that. But making your software work on
the linux desktop/server? I _really_ don't see how that lets you get into a
position toward extinguishing anything.

~~~
eitland
Especially not when they have open sourced it under a liberal license.

------
godelski
This is great. Hopefully it'll get more people using 2FA. I don't think this
is the best security practice, as others are nothing how insecure Android is.
But it's better than nothing. It also pushes more people to use FIDO and 2FA.
This is for the average person. If you want more get an yubi key or something.

~~~
godelski
Edit after trying: It is a little disappointing that it is Chrome only.

~~~
arnarbi
Implementing and maintaining the code in the browser that manages the local
BLE channel to a FIDO authenticator is unfortunately a significant
undertaking.

We (the team behind this at Google) work actively with FIDO and the W3C on the
open standards behind this so that other browsers can support this as well in
the future.

~~~
godelski
I'm very happy with the work and understand it is no trivial feat. But as a FF
user I can't really try it out.

> We (the team behind this at Google) work actively with FIDO and the W3C on
> the open standards behind this so that other browsers can support this as
> well in the future.

Super excited to hear this.

------
wavefunction
This is great other than the fact Google is involved. Now I will admit it's
unlikely (effectively impossible) that this would come to Android without
Google being involved but I am not interested in adding Google to more of my
life. I'm looking to cut them out more and more wherever I can.

------
foobiekr
Most security keys don’t have app stores full of malware.

~~~
jayd16
Now they do.

------
scottlocklin
Your yubikey isn't owned by an evil megacorp.

Use a damn yubikey; they're practically free and don't monetize their users.

~~~
acct1771
As someone who can't currently afford the two Yubikeys needed to finish
securing their internal startup services...please think for just a second
before you say things.

~~~
scottlocklin
I'd have sent you one if you weren't such a dick. Even though your statement
is not remotely believable.

~~~
acct1771
I was slightly a dick because I didn't want anyone to offer - believe all of
these statements or don't.

~~~
scottlocklin
If you can't afford $20 for a yubikey, but have time to post snarky self-
defeating comments on HN, you might consider why you don't have the $20.

------
oneplane
> Your Android Phone Is a Security Key

no it's not. it's pretending to be, but without vendors actually maintaining
and investing in their forks and the hardware having a known good security
enclave, you might as well post your credentials on twitter.

~~~
penagwin
Yeah I don't see how this is any different from the standard Google
Authenticator style affair.

Without a security enclave (which devices are starting to include) I don't see
how this is an improvement.

~~~
oneplane
I think that using a soft token or push notifications are better than nothing,
but a company putting a (often known vulnerable) phone at the same level as a
security key seems like setting a bad precedent. Then again, at least it's not
SMS-verification. Perhaps in future leaks and scrapes of end-user deviced we
don't just get data dumps and passwords, but also internal key seeds and
tokens...

It's the secure enclave and the purpose-built firmware that makes a security
key a security key. I'm sure some specific Android devices have a safe
implementation, and I'm sure that some SIM cards and perhaps the recent iPhone
Secure Elements have properties that allow them to be safely used as a
security key, but putting it forward that phones can be seen and used that way
in general lacks that important distinction.

------
duxup
My phone already prompts me when I login to a google account on another
device.

Is this new / different?

~~~
cosinetau
I think the difference is that the prompt you describe still travels over the
wire to get to your device, while this new thing used Bluetooth based on FIDO
standards.

So the access key the client logging in passes to the server is from the local
device you trust.

~~~
duxup
Ah thank you!

Sometimes google's announcements really make it hard to understand their
products when there is overlap or similarities or what.

------
daphneokeefe
Can someone explain how TFA (or any security feature that relies on my phone)
works when the phone is unresponsive -- dead battery, no cell or internet
reception, hardware failure.

~~~
daphneokeefe
I am interested in how frequent travelers manage these security measures
(especially abroad). For SMS: quickly obtain a burner phone, log in to Chrome,
something something SMS or Authenticator? For Authenticator: log in to Chrome
on any machine you can locate that you can trust? For the printed backup
codes, you carry them with you as you travel, and through security?

I am trying to develop a security process that I can rely on. It only has to
be better than what I have now, it doesn't have to be bulletproof.

~~~
txcwpalpha
When possible, I completely avoid services that use SMS 2FA. If given the
option, I always opt for authenticator apps or codes-via-email 2FA, in that
order. I use SMS 2FA so infrequently that I've never encountered a situation
where I needed to get a code SMSed to me while abroad.

I store my printed backup codes for most of my services in an encrypted file
in my Dropbox (encrypted with a different password than the password used for
Dropbox).

I then also have printed backup codes for my primary email account and for my
Dropbox account that I carry with me on an unmarked piece of paper stashed
deep in a semi-hidden pocket in one of my bags. I also have printed backup
codes for my email and Dropbox stashed in a semi-hidden place in my home, with
the thought that in a last case scenario (or I lose my bags or something like
that), I can phone my roommate and have him read me the code.

It isn't perfect and I feel like it could be improved, but so far it works
fine.

------
kd5bjo
Here in Iceland, there's a security key embedded in your SIM card that
everybody uses as their 2FA solution. It's triggered via a GSM message to your
phone, identifies what the authorization is for, and lets you enter the key's
PIN code to accept.

The whole thing (except the UI) is isolated from the phone's OS so that even
if your phone gets lost or compromised nobody else can auth as you.

~~~
acct1771
This is why that's not great:
[https://www.schneier.com/blog/archives/2015/02/nsagchq_hacks...](https://www.schneier.com/blog/archives/2015/02/nsagchq_hacks_s.html)

------
munchbunny
Is this based on a hardware security module in the phone? I don't see this
written anywhere in the blog post.

For something like this, especially with your phone, putting the private keys
out of reach of the CPU/memory and hardened against side channel attacks is
table stakes.

~~~
arnarbi
For phones that have a dedicated hardware module, such as the Pixel 3, yes the
key material is generated and stored there. Using it requires a physical
action that is hardwired to the hardware module.

We think the most pressing need right now is to protect users against
phishing, which is a much larger threat than malware. Thus we think there's a
lot of value in enabling this for all phone models where it's possible to run
the protocols.

(I'm the TL for this at Google)

~~~
rheerani
So, can the button used be changed or does it have to be standardized across
devices and which is why it's the volume down button? Because the squeeze
function on Pixels or assistant buttons on other devices could be used
instead, though that's just me wondering out loud for an alternative user-
facing implementation because the use of volume button seems strange to me.

~~~
arnarbi
On Pixel 3, no, it cannot be changed. Only the volume down button is wired to
the Titan-M. Why that button rather than others, I don't know.

------
tjbiddle
My Pixel 2 already does this. When I sign into Google I get a notification
that asks if I'm signing in, I click yes, done-zo.

Is the only thing new here the UI + that it's open for all Android 7.0 phones
now?

~~~
gretch
disclosure: I work at google

The thing you have now communicates that yes click over the internet. This new
thing communicates through a local channel (bluetooth).

Communicating over a local channel prevents phishing.

Consider this attack: Attacker hosts googlee.com and you get tricked into
going there. The login site looks exactly like the google site. You type in
username/password just like normal. _In that moment_ they take your phished
credentials and pass it to the actual google server, like a man in the middle.
Now you receive a prompt on your phone asking Yes/No. You click yes, okaying
the attacker's login.

Now that same attack with the local channel communication - they can't take
your signal and pass it on through to google

~~~
plttn
As there's very little documentation on this right now: couple of related
questions (feel free to ignore them I don't want to guilt you into it)

1\. It doesn't seem to be using the Titan M flow on my Pixel 3 currently

2\. After reinstalling GMS on my phone to try and get the Titan M working, it
stayed registered as a key, but the prompt never shows up on my device.

I guess this is more of a "flag for internal review" vs a "please provide me
with answers".

~~~
arnarbi
Thanks for this! I'm the TL for this at Google.

Re 1: The Titan-M specific flow is still rolling out, you should see your
phone switch to the volume-down UI soon.

Re 2: I've flagged this and we'll look into it.

~~~
plttn
Hey, thanks so much!

------
codemac
Is there any way to get this working in Firefox? :(

~~~
correct_horse
It probably depends on Web Bluetooth, which Firefox doesn't yet support, see
[https://developer.mozilla.org/en-
US/docs/Web/API/Web_Bluetoo...](https://developer.mozilla.org/en-
US/docs/Web/API/Web_Bluetooth_API)

As an aside, I'm not sure that I want random JavaScript to be able to do
Bluetooth stuff. At the least, I'd want the ability to limit it on a per-
website basis.

------
ksec
Off topic:

This is the state of web we are in, and this is coming from Google. [1] I have
literally 20% of the screen displaying useful information. The others are all
useless navigation or related crap. Just seeing it nearly got me to puke.

It is one those problem in general where the web page is _responsive_ and
_mobile_ first.

[1] [https://ibb.co/fCfmW6h](https://ibb.co/fCfmW6h)

~~~
NikolaNovak
I fully 101% agree with you in principle, but in this particular case my
experience is wildly different. As soon as I scrolled, the navigation got out
of the way, and all I have is text - with author's decision to keep large wide
white margins. (Vanilla Chrome on Windows - no extensions/plugins/blockers, no
reader mode, etc)

[https://imgur.com/5DOqvj1](https://imgur.com/5DOqvj1)

~~~
phyzome
What happens when you scroll up a tiny amount? Do the floating dickbars come
back?

In my case, I didn't opt in to running the site's javascript... so there were
no floating bars. :-)

