If you’re serious about securing your online accounts, then you should already be using unique, strong passwords for your online properties, preferably with the help of a password manager. On top of that, many products and services now support two-factor authentication (2FA), which adds another layer of protection on top of that password. You should be using 2FA with all your valuable accounts, especially the ones you use to manage money and personal data. It’s one thing for hackers to steal your Netflix account, and quite another for thieves to get control of a banking app or email account. But even 2FA is not always convenient, especially if it involves entering a code you’ve just received via SMS. A better alternative is actually using a standalone gadget to act as your 2FA authenticator. And, the iPhone happens to be one such device, when it comes to Google accounts.
Your Google account holds the keys to a treasure trove of data, as it controls all your Google properties, including Gmail, Search, YouTube, Maps, and many others. And Google has now transformed the iPhone into a device that acts a lot like a FIDO 2FA key — Google, by the way, makes its own 2FA physical keys.
Google updated the Google Smart Lock app this week to turn the iPhone into a 2FA security key, 9to5Google reports. A Googler confirmed on Twitter that the company is using the Secure Enclave in the iPhone’s A-series chip to turn the iPhone into a 2FA device. If that name rings a bell, that’s because the Security Enclave is a chip that holds Face ID or Touch ID data, as well as other cryptographic data.
It uses the Secure Enclave as a security key, it's pretty cool.
— Filippo Valsorda 💉💉🎉 (@FiloSottile) January 14, 2020
To use the iPhone as a 2FA authenticator on Google accounts, you’ll have to set it up as one in the Smart Lock. Once that’s done, every time someone uses the Google Account credentials to log in, they’ll have to open Smart Lock on the iPhone and confirm it. The iPhone has to be in the vicinity of the computer used to sign in to Google apps, as the data is sent over via Bluetooth, locally. That iPhone protection would make it impossible for anyone to log into your 2FA-protected Google account. They’d need to get your device to do it, and that means they’d have to bypass the screen lock to get to the Smart Lock app.
Google’s move reconfirms the Apple’s high security standards when it comes to user privacy and data security at a time where the government is calling, again, for the iPhone maker to ruin iPhone encryption.
