In April, Google made a bold announcement: "The ultimate account security is now in your pocket." Those are some eye-catching words for anybody concerned about the privacy and security of online accounts, which should be everybody.
Google’s statement was about a new way to use your Android phone as a security key to better protect your Google accounts. It's designed to help combat phishing attacks aimed at getting access to your sensitive online data. Google calls this "the most common cause of security breaches."
Google says it already is able to stop most malicious sign-in attempts, but this additional layer of protection is meant to shield you from those rare cases where usual methods might not be working.
Get to know Google’s security keys
Security keys work with two-step verification (also known as two-factor authentication) to keep hackers out of your accounts. Two-factor authentication requires a second step beyond just providing your password to access your account. For example, when you try sign in, you may be required to also type in a code that’s sent to you in a text message or email in order to verify who you are.
Check out our Komando guide to two-factor authentication and the accounts you should be using it with. If you haven’t already, follow the steps to enable this extra security for your Google accounts.
Two-factor authentication may not always be enough, as a famous hacker demonstrated with a fresh exploit earlier this year. This is where a security key can be helpful.
Google introduced a version of this last year called the Titan Security Key, a USB device that plugs into your computer’s USB port to give you access to your accounts in addition to requiring your password. A Bluetooth version of the key works to unlock accounts on your phone. It’s kind of like how you use a car key to start your vehicle.
One issue with a security key like Titan is that it’s a small gadget and losing it can mean getting locked out of your accounts. Google’s new phone-as-security-key feature is meant to make this whole process a little easier without requiring you to carry around extra hardware. Your Android phone becomes the external key.
Use your Android phone as a security key
Google’s new security-key feature works with smartphones running Android 7.0 and up. You also need a Bluetooth-enabled computer running Chrome OS, macOS X or Windows 10 with a Chrome browser. If you’ve checked all those boxes, then we can get this up and running.
Your Google account should already be connected to your phone. Next, make sure to to enroll in Google’s 2-step verification, which it abbreviates as "2SV." Visit Google’s 2SV site to make sure verification is on for your account. I’ve had this feature enabled since 2013, so I’m good to go with enabling the security key on my phone.
On the same 2-step page for your account, scroll down and look under "Set up alternative second step." Click on Add Security Key. This pops open a window showing your phone or the option to use a USB or Bluetooth key. For me, it reads "Motorola Moto G Plus." Click on your phone.
Google will tell you that Bluetooth and Location need to be turned on so your devices can check that they are near each other. Also, these security keys only work on Chrome. Click "Add" to finish and get a confirmation.
I tested this out by first revoking trusted status from all my devices (an option available on Google’s 2-step page). I then logged out of my Google accounts on both my Windows desktop and my Mac laptop.
When I logged in again, I provided my password and then received a notice on my phone asking if it was me trying to log in. I confirmed on my Android and was back into my accounts with very little fuss.
There’s no one security method that will magically protect us from every possible hack, but two-factor authentication and using a security key can help. It’s easy to try it out and you might feel a little safer.
How to spot phishing attacks
We all have to be on our toes online, especially when it comes to sneaky phishing attacks. These scams are designed to extra sensitive information, like online account logins. They may appear as cleverly disguised emails that look legitimate. We'll show you how to spot these phishing attacks and how to avoid becoming a victim.