Android phones transformed into anti-phishing security tokens

Google just announced a new security feature that allows users of Android 7 and later to use their smartphones to authenticate themselves to their Google accounts.

The surprise announcement was buried inside a pile of enterprise-oriented enhancements revealed at Google Cloud Next 2019 in San Francisco on Wednesday.

Released in beta, the feature is designed to protect Google users from phishing attacks. Once enabled, the user logs into their Google account using their username and password as normal before authenticating that their enrolled smartphone is present by clicking on a message that appears on the screen.

It’s identical in principle to using a FIDO USB token such as the YubiKey (or Google’s Titan key equivalent launched last year), except that the smartphone itself becomes the token.

This defeats phishing in the same way a token does because even if attackers get hold of someone’s Google username and password they can’t access the account without also having the smartphone.


To use your Android phone (tablets don’t appear to be supported yet) as a security key, you must have a phone running Android version 7.x or later, and you need to turn on Bluetooth.

Your computer must also have Bluetooth, and be running the latest version of the Chrome browser, on a Chrome OS, macOS X or Windows computer.

How to turn it on

From Google’s support blog:

Step 1: Add the security key to your Google Account

  1. Turn on 2-Step Verification and add a verification method like Google Prompt.
    • If you already use 2-Step Verification, you can move on.
  2. On your Android phone, go to
  3. Under “Signing in to Google,” select 2-Step Verification. You might need to sign in.
  4. Scroll down to “Set up an alternative second step.”
  5. Select Add Security Key and then Your Android phone and then Turn on.

Step 2: Use your Android phone’s built-in security key

  1. On your computer, make sure Bluetooth is turned on in your settings or preferences.
  2. On your computer, sign in to your Google Account with your username and password.
  3. Check your Android phone for a notification.
  4. On your Android phone, double-tap the “Are you trying to sign in?” notification.

How does it work?

Google’s blog on the topic is light on technical detail but we can confidently assume this is the predicted marrying of FIDO2 protocols recently added to Android, and the wider WebAuthn authentication standard.

To simplify, browsers supporting WebAuthn communicate securely with the server, in this case, Google’s, verifying their authenticity. The FIDO2 protocol, meanwhile, handles the part where the computer and smartphone communicate to verify that the user has the smartphone present.

The latter works using FIDO2’s Client to Authenticator Protocol (CTAP), which performs the authentication with the smartphone via Bluetooth.

One report from the event also mentions something called “cloud-assisted Bluetooth Low Energy (caBLE)”. It’s not clear what this is although it could be Google’s next addition to the FIDO2 standard that adds additional security checks.

What happens if you lose or don’t have your smartphone? In that case, you’ll either need to have enabled the Authenticator app as a fallback or have a security key (the YubiKey or Titan), or have made a note of the backup security codes Google lets you download and print.