Running Android 7.0 or later? Here’s how to use your smartphone as a two-factor authentication key

Two-factor authentication is a service that keeps your online accounts and services a whole lot safer than they would be otherwise. Why else would you lock down a Steam account using Steam Guard, a Blizzard account with Blizzard Authenticator, an Xbox Live account with whichever notification system from Microsoft annoys you the least? Shouldn’t your more business-y accounts have the same protection? Google thinks so.

And Google’s done something about it, too. If you’re rocking an Android smartphone with Android 7.0 or later installed, you can use the device as a physical two-factor authentication (2FA) key to lock down access to your accounts. Since the key functions by using the device’s Bluetooth connection, it’s generally pretty secure. In order to get into an account, your device needs to be within Bluetooth range. Let’s see those friendly chaps from upper Africa/Asia/Eastern Europe spoof that one.

Safety first

Setting up your Android device as a 2FA dongle (technically) is as simple as connecting it to your PC. Your PC will need a Bluetooth connection, so older desktops may battle here. 2FA, using the FIDO protocol and WebAuthn, has been enabled for Google’s range of services (Gmail, G Suite, Google Cloud and others). The protocols are designed to make sure you’re not on a phishing site by mistake. Here’s how the sign-in setup works.

One step at a time

First, you need to be signed in to your Google account on the Android device you want to use as a security key. Bluetooth for the device needs to be on. You’ll need to have Chrome running on the PC you’re attempting to lock down (provided the PC runs ChromeOS, MacOS, or Windows 10). Point your PC at myaccount.google.com/security and you’ll see the option to enable two-step verification. Er… select it. If you haven’t previously set up a two-step option, you’ll be given the choice to receive an email or an SMS. Instead, select Choose another option.

One of those options is Security Key. Choose that one, then pick your phone from the list of devices that should show up. Then follow the rest of the prompts. That should be about it. Note, you will run into issues if you’re not signed in with the same Google account on both devices. Then… you won’t see all the available devices. Have you tried logging out and in again?

That should do it. Signing into your account on the PC will entail confirming on your mobile device that it’s you accessing your accounts. If you’ve splurged on one of Google’s Pixel 3 handsets, you won’t even have to do that. The volume down button acts as a verification key. Google’s phone’s packing some secure hardware that helps in that line. Devices without the Pixel’s Titan M chip have to sign in and use a software button.

Google’s 2FA upgrade is a nice touch but it is limited in that it doesn’t work for third-party services at all. With data security becoming more important than ever to the average internet user, it’s just a matter of time before this feature becomes more widespread. Eventually, you’ll be able to secure all of your devices and accounts with a single device and then someone’s going to turn it into an implant or an RFID tattoo or something and then Amazon’s going to take over all the stores and you won’t ever have to carry a wallet and then that cyberpunk future we’ve been looking forward to is going to come to pass and it’s going to be awesome. Probably.