Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

Google Improves Security Key Support on iOS Devices

MacRumors

macrumors bot
Original poster
Apr 12, 2001
50,521
11,906


Google today announced native support for the W3C WebAuthn implementation for Google Accounts on Apple devices running iOS 13.3 and above, which improves the security key experience on iOS and allows more security key types to be used with Google accounts and Google's Advanced Protection Program.


With the change, iOS users are able to use Google's Titan Security Keys with NFC, tapping the key on the back of the iPhone when signing in as a security measure.

Lightning or USB security keys like the YubiKey 5Ci can be used with Google accounts if you have an Apple Lightning to USB Camera Adapter. USB-C security keys can be plugged directly into iOS devices with a USB-C port, such as Apple's iPad Pro models.

Google says that it recommends users install the Smart Lock app to use Bluetooth security keys and the iPhone's built-in security key, as this provides a way for the iPhone to function as additional protection for a Google Account.

Google also recommends that Google users who are at higher risk of targeted attacks utilize security keys and enroll in its Advanced Protection Program, which is the feature that allows for extra account protection with physical security keys.

Using a physical security key provides more protection than two-factor verification because it requires you to have the physical key (or the iPhone Key with the Smart Lock app) to sign in to your Google accounts rather than just a digitally generated code.

Article Link: Google Improves Security Key Support on iOS Devices
 

1144557

Cancelled
Sep 13, 2018
925
2,410
That seems a bit hyperbolic. Google's security isn't bad at all. Don't confuse security with data responsibility.

They earned that reputation with their privacy abuses of consumers. The trust is gone. Whether this is "good" or not itself isnt relevant to a lot of people as there are many competitors in this space with good track records like yubikey.
 

AmazingTechGeek

macrumors 6502a
Mar 6, 2015
526
151
They earned that reputation with their privacy abuses of consumers. The trust is gone. Whether this is "good" or not itself isnt relevant to a lot of people as there are many competitors in this space with good track records like yubikey.
 
  • Like
Reactions: acctman

Just sayin...

macrumors regular
Jan 8, 2008
190
151
Google + Security/Privacy products kind of reminds me of Vegas casinos efforts to keep their customers from being ripped off by shady cab companies. Don’t let the minor players get in the way of their revenue stream...
 

justperry

macrumors G4
Aug 10, 2007
11,287
7,462
I'm a rolling stone.
Security != Privacy
Google pushes a lot of secure technologies, especially when it comes to web security... Without google most webpages would likely still be unencrypted...

Your privacy is compromised on google, you can secure login into Google Mail but then Google themselves reads those mails, you think you are secure while you are actually not.
 

ApfelKuchen

macrumors 68040
Aug 28, 2012
3,830
2,386
Between the coasts
Using a physical security key provides more protection than two-factor verification because it requires you to have the physical key (or the iPhone Key with the Smart Lock app) to sign in to your Google accounts rather than just a digitally generated code.

This is a matter that's open to debate. Any physical key is only as good as its own security. If a physical key is in a backpack or purse stolen along with that iPhone or iPad... not all that secure.

Which "second factor" happens to be more secure seems more a matter of nuance and specific circumstance than an across-the-board superiority.

The general assumption with 2FA is that password-only is not secure, as once compromised (phished, etc.), a password can be circulated electronically. So it's a matter of making the second factor, whatever it is, something that can't be circulated electronically. Physical possession of a key, access to a passcode-locked iPhone, access to a phone number... all fit the general requirement, but all can potentially be compromised as well. All 2FA does is raise the bar for the attacker.
 

konqerror

macrumors 68020
Dec 31, 2013
2,298
3,692
This is a matter that's open to debate. Any physical key is only as good as its own security. If a physical key is in a backpack or purse stolen along with that iPhone or iPad... not all that secure.

FIDO2 allows software PINs or token hardware PINs and biometrics, solving that issue. PINs are typically required for FIDO2 passwordless, if you require a password, you have a barrier against the lost token problem.

The general assumption with 2FA is that password-only is not secure, as once compromised (phished, etc.), a password can be circulated electronically.

You have to be distinct here. U2F and FIDO2 are phish-resistant. Other 2FA schemes like SMS, TOTP, and push systems are not. That's the key benefit of these tokens.
 

/dev/toaster

macrumors 68020
Feb 23, 2006
2,476
249
San Francisco, CA

The U2F standards were initially crafted by both Google and Yubico. Not to mention, these devices look extremely similar to the existing product line of Yubico. I suspect these are actually produced by Yubico in the first place.
 
  • Like
Reactions: jimthing

konqerror

macrumors 68020
Dec 31, 2013
2,298
3,692
  • Like
Reactions: /dev/toaster

jedivulcan

macrumors 6502
May 15, 2007
402
7
I wish Google would update Chrome on Mac to work with Google's password manager. Touch ID works with some 2FA key supported sites (Namecheap for example).
 

DoctorTech

macrumors 6502a
Jan 6, 2014
687
1,508
Indianapolis, IN
They earned that reputation with their privacy abuses of consumers. The trust is gone. Whether this is "good" or not itself isnt relevant to a lot of people as there are many competitors in this space with good track records like yubikey.
Well said. Google wants to protect your data so they can sell it rather than someone else getting it for free ;)
 
  • Like
Reactions: BuddyTronic

BuddyTronic

macrumors 65816
Jul 11, 2008
1,264
887
Security != Privacy
Google pushes a lot of secure technologies, especially when it comes to web security... Without google most webpages would likely still be unencrypted...

Security is not equal to privacy.

That’s the catch.

Google looks like it has nice 2FA and it might offer secure data, from everyone but Google itself right?

The issue is whether you have “privacy” from Google.
 

ctdonath

macrumors 65832
Mar 11, 2009
1,504
486
Speaking of "tap"...

Whatever happened to "tap to pair"? Was supposed to be a great way to mutually identify devices, be it device pairing or sharing information or whatever. Widely touted, then vanished with an occasional "where'd it go?" thru the ages...
 

yurc

macrumors 6502a
Aug 12, 2016
670
747
inside your DSDT
So, this is Google version of Yubikey then?

Our enterprise are using G-Suite as primary company email and tools, and I think this key is welcome to increase security layer to some degree albeit we already using Yubikey now.
[automerge]1591242071[/automerge]
Your privacy is compromised on google, you can secure login into Google Mail but then Google themselves reads those mails, you think you are secure while you are actually not.

It’s also same for paid G-Suite which include G-Mail services with company domain? For managing users, security is quite good I think, tracked users logged device and pretty scaleable. When come to enterprise services, Google and MS offer ain’t so bad.
 
Last edited:
  • Like
Reactions: cyb3rdud3
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.