People using Google apps on iOS can now use NFC-based, USB and Lightning security keys for two-factor authentication when logging into their Google accounts. That's because Google is bringing app support for W3C WebAuthn to iOS 13.3 and above.
As part of this update, there’s now support for various brands of security keys, including Yubico's YubiKeys and Google's own Titan keys, via NFC and the Lightning port. Google said people can use these keys on their iPhones and iPads to access its iOS apps and various web services on Safari.
- Best antivirus: stay protected when online
- Best VPN: pick the best provider for privacy and geo-spoofing
- Read More: iPhone XR vs iPhone XS vs iPhone XS Max - what should you buy?
Christiaan Brand, product manager of Google Cloud, wrote in a blog post: “This capability, available for both personal and work Google Accounts, simplifies your security key experience on compatible iOS devices and allows you to use more types of security keys for your Google Account and the Advanced Protection Program.”
As well as being able to use the YubiKey 5ci's Lightning plug to access Google accounts on iPhones and iPads, Brand explained users can also use other security keys. He advised:
- Both the USB-A and Bluetooth Titan Security Keys have NFC functionality built-in. This allows you to tap your key to the back of your iPhone when prompted at sign-in.
- You can use a Lightning security key like the YubiKey 5Ci or any USB security key if you have an Apple Lightning to USB Camera Adapter.
- You can plug a USB-C security key in directly to an iOS device that has a USB-C port (such as an iPad Pro).
- We suggest installing the Smart Lock app in order to use Bluetooth security keys and your phone’s built-in security key, which allows you to use your iPhone as an additional security key for your Google Account.
He recommended that high risk users, such as journalists, activists, business leaders and politicians should use security keys and sign up for Google's Advanced Protection Program. (Nest users got the ability to sign up for Advanced Protection just a couple of days ago.)
Brand added: “If you’re working for political committees in the United States, you may be eligible to request free Titan Security Keys through the Defending Digital Campaigns to get help enrolling into Advanced Protection.
“You can also use security keys for any site where FIDO security keys are supported for 2FA, including your personal or work Google Account, 1Password, Bitbucket, Bitfinex, Coinbase, Dropbox, Facebook, GitHub, Salesforce, Stripe, Twitter, and more.”
Why everyone should use a security key
Security keys are perhaps the strongest factor available for two-factor-authentication schemes, as they are devices that you carry with you all the time instead of text messages that can be intercepted or redirected, or authenticator apps that can be spoofed or phished.
Security keys are made by many companies other than Yubico and Google, although those two companies have been working together to create universal standards. The cheapest USB-A security keys retail for as little as $15, and you can even build your own security key.
Google requires all its employees to have a security key, and the company boasts that it hasn't had a single successful internal phishing attempt since the program was instituted.