With the latest update to Google’s Smart Lock app for iOS, you can now use your iPhone as a physical 2FA security key to sign in to Google’s first-party services in Chrome. When you try to sign in to a Google service, such as a laptop, a push notification is generated on your nearby iPhone. You will then need to unlock your Bluetooth-enabled iPhone and tap a button in the Google app to authenticate yourself before the login process on your laptop is complete. The message was first reported by 9to5Google .
Two-factor authentication is one of the most important steps in securing your online accounts and provides an additional layer of security that goes beyond a standard user name and password. Physical security keys are much more secure than today's six-digit codes because these codes can be intercepted almost as easily as passwords. With Google, you can already use your Android phone as a physical security key. Since the functionality is now also available for iOS, everyone with a smartphone now has a security key without having to purchase a dedicated device.
The new process is similar to the existing Google Prompt functionality, but the main difference is that the Smart Lock app works via Bluetooth instead of connecting over the Internet. This means that your phone must be relatively close to your laptop for authentication to work. This provides another level of security. However, the app itself does not request biometric authentication. If your phone is already unlocked, an attacker nearby can theoretically open the app and authenticate the login attempt.
According to a cryptologist working at Google the new functionality uses the Secure Enclave of the iPhone processor, with which the device's private keys are securely stored. The function was first introduced with the iPhone 5S and, according to the Google app, iOS 10 or higher is required.
New iPhone support appears to be limited to authenticating Google sign-ins through the Chrome browser. When we tried to authenticate a login to the same service (which we tested with Gmail) with Safari on a MacBook using an iPhone, we were asked to insert our keychain (which we did not have), which means this is an extra step In our registration process we had to choose an alternative 2FA option.