Chrome for Android becoming a 2FA security key for Google Account sign-in

For the past few years, Google has aggressively encouraged adoption of two-factor authentication (2FA) — or 2-Step Verification (2SV) as the company refers to it. This includes physical security keys that plug in over USB, while it also offers phone security keys. The latest effort turns Chrome for Android into a security key for Google Account sign-in.

After entering username and password, users that have 2FA/2SV enabled on their Google Account can confirm a log-in attempt in a handful of ways. There’s tapping “Yes” on the “Google Prompt” notification that appears on both Android and iOS (Google or Gmail app required), or long-pressing on the volume button if you have a “phone security key” set-up.

That latter approach is more stringent (than a notification) and better mimics a USB-C/A security key as Bluetooth is used to communicate between the phone and desktop to confirm proximity. However, phone security keys require users to manually set it up before time, thus a barrier to adoption.

Google is now using the Chrome for Android app as another 2FA security key method. Upon entering your credentials on a laptop, you will get the usual “Are you trying to sign in?” notification that opens a fullscreen page with “Yes” and “No, it’s not me” at the bottom. Google notes how:

Someone is trying to sign in to your account from a nearby device

The important part of that message is “nearby device,” thus differentiating this from the simple Google Prompt notification. After confirming, you’re taken to a “Connecting to your device” page with rotating animation, which is exactly like the phone security key process.

If you open the Recents/multitasking menu, you’ll notice how that screen is from Chrome, rather than Google Play services. (That said, GPS is still responsible for showing the previous Yes/No UI.)

The below screenshots are from Chrome 93 (in beta) on Android and version 92 for Mac. This capability is not yet widely rolled out. Behind-the-scenes, Google is using caBLE (cloud-assisted Bluetooth Low Energy) as noted in the Chrome flag. Requirements include signing into the same account and having Chrome Sync enabled: 

Enable use of phones that are signed into the same account, with Sync enabled, to be used as 2nd-factor security keys. – Mac, Windows, Linux, Chrome OS, Android

chrome://flags/#enable-web-authentication-cable-v2-support

error: Content is protected !!