Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

MacRumors

macrumors bot
Original poster
Apr 12, 2001
52,184
13,809



google-smart-lock-app-icon.jpg
A new update to Google's Smart Lock iOS app lets users set up their iPhone or iPad as a security key for two-factor authentication when signing into native Google services via Chrome browser.

Once the feature is set up in the app, attempting to log in to a Google service via Chrome on another device such as a laptop results in a push notification being sent to their iOS device.

The user then has to unlock their iPhone or iPad using Face ID or Touch ID and confirm the log-in attempt via the Smart Lock app before it can complete on the other device.

After installing the update, users are asked to select a Google account to set up their phone's built-in security key. According to a Google cryptographer, the feature makes use of Apple's Secure Enclave hardware, which securely stores Touch ID, Face ID, and other cryptographic data on iOS devices.

The Smart Lock app requires that Bluetooth is enabled on both the iPhone/iPad and the other device for two-factor authentication to work, so they have to be in close proximity, but the advantage of the system is that it ensures the process is localized and can't be leaked onto the internet.

The Google Smart Lock app is a free download for iPhone and iPad on the App Store. [Direct Link]

(Via 9to5Google.com)

Article Link: iPhones Can Now Be Used to Generate 2FA Security Keys for Google Accounts
 

Vincent Verbist

macrumors newbie
Jan 15, 2020
2
2
Can someone explain the functional difference between the 'Google'-app I have on my iPhone, which prompts me to verify it's me whenever I login to any Google-services?
 
Last edited:
  • Like
Reactions: melvynadam
Comment

melvynadam

macrumors member
Dec 16, 2010
31
2
I came here to ask the same question - there's already an app for this and it's already made by Google. Why would I want/need a standalone app? Are they removing this function from the Gmail app?
 
Comment

HandITOVER

macrumors 6502
Jan 13, 2020
251
49
You can't do that with Apple Watch! The Apple wearable platform is an afterthought.
 
Last edited:
Comment

melvynadam

macrumors member
Dec 16, 2010
31
2
I may have worked out what Google's aiming at - replacing the physical bluetooth security keys (the ones that compete with Yubi) with your bluetooth-enabled smartphone.
In theory, why carry a bluetooth security key if my smartphone can authenticate me? Then this can be used for multiple services - not just securing your Google account.
 
Comment

I7guy

macrumors Penryn
Nov 30, 2013
25,692
13,804
Gotta be in it to win it
I came here to ask the same question - there's already an app for this and it's already made by Google. Why would I want/need a standalone app? Are they removing this function from the Gmail app?
This process seems different in that an Internet connection is not required to authenticate.
 
Last edited:
Comment

TriBruin

macrumors regular
Jul 28, 2008
223
479
Can someone explain the functional difference between the 'Google'-app I have on my iPhone, which prompts me to verify it's me whenever I login to any Google-services?
The way I am reading this, is that it eliminates the push from Google and handles everything locally. When you attempt to sign-in, Chrome will check for the presence of your trusted device (iPhone) via local Bluetooth and prompt you directly. This, in theory, eliminates any chance for a bad actor intercepting the internet based push notification.
 
Comment

1144557

Cancelled
Sep 13, 2018
925
2,411
The way I am reading this, is that it eliminates the push from Google and handles everything locally. When you attempt to sign-in, Chrome will check for the presence of your trusted device (iPhone) via local Bluetooth and prompt you directly. This, in theory, eliminates any chance for a bad actor intercepting the internet based push notification.


You would think that is incredibly hard already to crack/spoof an Apple push notification from the Google app itself; far more than SMS. I dont know that this new way offers much more to the average person. In a very high security environment using Goole Apps (not sure why you would do that to begin with then, but ok) I guess.

Its also unclear how not needing an internet connection would help if you are logging into Google which requires internet. That argument doesnt make a ton of sense obviously.

Not knocking more options, its just a bit unclear the differences between this and using the Google app to authenticate 2FA.
 
  • Like
Reactions: Justanotherfanboy
Comment

Vincent Verbist

macrumors newbie
Jan 15, 2020
2
2
The way I am reading this, is that it eliminates the push from Google and handles everything locally. When you attempt to sign-in, Chrome will check for the presence of your trusted device (iPhone) via local Bluetooth and prompt you directly. This, in theory, eliminates any chance for a bad actor intercepting the internet based push notification.
Okay, that's something I can understand, but still strange that there is not a single reference to the current solution through the Google app...
 
  • Like
Reactions: MisterSavage
Comment

Westside guy

macrumors 603
Oct 15, 2003
5,806
3,048
The soggy side of the Pacific NW
There are also standard ways to do two-factor auth, one of which is even implemented by Google through their Google Authenticator app (RFC 6238 time-based one-time passwords - I prefer the OTP Auth app for it) and can be implemented by any app developer for increased security without having to be beholden to Google or any other single entity. I realize some people will complain about having to copy 6 digits (oh the horror), but I prefer standard solutions like that to tying my security to Google - or, for that matter, to having all these vendor-specific two-factor approaches (Apple does it one way, Google does it another, etc.).
 
Comment

atomic.flip

macrumors 6502
Dec 7, 2008
401
722
Orange County, CA
This is great! Funny thing I just bought a bunch of security keys to test this sort of functionality. Google already supported doing this with their Pixel line of phones. They have security hardware in them similar to keys by Yubi and Feitian. Good stuff.
 
Comment

MisterSavage

macrumors 68030
Nov 10, 2018
2,681
2,806
Okay, that's something I can understand, but still strange that there is not a single reference to the current solution through the Google app...

It does seem really strange that they don't mention the current solution and why this new one would be better/different. I already like just clicking "yes it's me" from the Google (or Gmail app).
 
Comment
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.