Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Google Improves Security Key Support on iOS Devices

MacRumors

MacRumors

macrumors bot
Original poster
Apr 12, 2001
68,142
38,922


Google today announced native support for the W3C WebAuthn implementation for Google Accounts on Apple devices running iOS 13.3 and above, which improves the security key experience on iOS and allows more security key types to be used with Google accounts and Google's Advanced Protection Program.

googletitankeys.jpg

With the change, iOS users are able to use Google's Titan Security Keys with NFC, tapping the key on the back of the iPhone when signing in as a security measure.

Lightning or USB security keys like the YubiKey 5Ci can be used with Google accounts if you have an Apple Lightning to USB Camera Adapter. USB-C security keys can be plugged directly into iOS devices with a USB-C port, such as Apple's iPad Pro models.

Google says that it recommends users install the Smart Lock app to use Bluetooth security keys and the iPhone's built-in security key, as this provides a way for the iPhone to function as additional protection for a Google Account.

Google also recommends that Google users who are at higher risk of targeted attacks utilize security keys and enroll in its Advanced Protection Program, which is the feature that allows for extra account protection with physical security keys.

Using a physical security key provides more protection than two-factor verification because it requires you to have the physical key (or the iPhone Key with the Smart Lock app) to sign in to your Google accounts rather than just a digitally generated code.

Article Link: Google Improves Security Key Support on iOS Devices
 
Article Link
https://www.macrumors.com/2020/06/03/google-security-key-ios-devices/
gccumber said:
That seems a bit hyperbolic. Google's security isn't bad at all. Don't confuse security with data responsibility.
Click to expand...

They earned that reputation with their privacy abuses of consumers. The trust is gone. Whether this is "good" or not itself isnt relevant to a lot of people as there are many competitors in this space with good track records like yubikey.
 
  • Like
  • Love
Reactions: ZZ9pluralZalpha, NewWaveGuy, acctman and 13 others
Google + Security/Privacy products kind of reminds me of Vegas casinos efforts to keep their customers from being ripped off by shady cab companies. Don’t let the minor players get in the way of their revenue stream...
 
  • Like
Reactions: bernuli and tranceking26
[AUT] Thomas said:
Security != Privacy
Google pushes a lot of secure technologies, especially when it comes to web security... Without google most webpages would likely still be unencrypted...
Click to expand...

Your privacy is compromised on google, you can secure login into Google Mail but then Google themselves reads those mails, you think you are secure while you are actually not.
 
  • Like
  • Disagree
Reactions: cyb3rdud3, 1144557, yurc and 4 others
MacRumors said:
Using a physical security key provides more protection than two-factor verification because it requires you to have the physical key (or the iPhone Key with the Smart Lock app) to sign in to your Google accounts rather than just a digitally generated code.
Click to expand...

This is a matter that's open to debate. Any physical key is only as good as its own security. If a physical key is in a backpack or purse stolen along with that iPhone or iPad... not all that secure.

Which "second factor" happens to be more secure seems more a matter of nuance and specific circumstance than an across-the-board superiority.

The general assumption with 2FA is that password-only is not secure, as once compromised (phished, etc.), a password can be circulated electronically. So it's a matter of making the second factor, whatever it is, something that can't be circulated electronically. Physical possession of a key, access to a passcode-locked iPhone, access to a phone number... all fit the general requirement, but all can potentially be compromised as well. All 2FA does is raise the bar for the attacker.
 
  • Like
Reactions: Cosmosent, jambon, V.K. and 1 other person
ApfelKuchen said:
This is a matter that's open to debate. Any physical key is only as good as its own security. If a physical key is in a backpack or purse stolen along with that iPhone or iPad... not all that secure.
Click to expand...

FIDO2 allows software PINs or token hardware PINs and biometrics, solving that issue. PINs are typically required for FIDO2 passwordless, if you require a password, you have a barrier against the lost token problem.

ApfelKuchen said:
The general assumption with 2FA is that password-only is not secure, as once compromised (phished, etc.), a password can be circulated electronically.
Click to expand...

You have to be distinct here. U2F and FIDO2 are phish-resistant. Other 2FA schemes like SMS, TOTP, and push systems are not. That's the key benefit of these tokens.
 

The U2F standards were initially crafted by both Google and Yubico. Not to mention, these devices look extremely similar to the existing product line of Yubico. I suspect these are actually produced by Yubico in the first place.
 
  • Like
Reactions: jimthing
  • Like
Reactions: /dev/toaster
I wish Google would update Chrome on Mac to work with Google's password manager. Touch ID works with some 2FA key supported sites (Namecheap for example).
 
1144557 said:
They earned that reputation with their privacy abuses of consumers. The trust is gone. Whether this is "good" or not itself isnt relevant to a lot of people as there are many competitors in this space with good track records like yubikey.
Click to expand...
Well said. Google wants to protect your data so they can sell it rather than someone else getting it for free ;)
 
  • Like
Reactions: BuddyTronic
[AUT] Thomas said:
Security != Privacy
Google pushes a lot of secure technologies, especially when it comes to web security... Without google most webpages would likely still be unencrypted...
Click to expand...

Security is not equal to privacy.

That’s the catch.

Google looks like it has nice 2FA and it might offer secure data, from everyone but Google itself right?

The issue is whether you have “privacy” from Google.
 
Speaking of "tap"...

Whatever happened to "tap to pair"? Was supposed to be a great way to mutually identify devices, be it device pairing or sharing information or whatever. Widely touted, then vanished with an occasional "where'd it go?" thru the ages...
 
So, this is Google version of Yubikey then?

Our enterprise are using G-Suite as primary company email and tools, and I think this key is welcome to increase security layer to some degree albeit we already using Yubikey now.
[automerge]1591242071[/automerge]
justperry said:
Your privacy is compromised on google, you can secure login into Google Mail but then Google themselves reads those mails, you think you are secure while you are actually not.
Click to expand...

It’s also same for paid G-Suite which include G-Mail services with company domain? For managing users, security is quite good I think, tracked users logged device and pretty scaleable. When come to enterprise services, Google and MS offer ain’t so bad.
 
Last edited:
  • Like
Reactions: cyb3rdud3
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back