All Android smartphones running Android 7.0 or higher can now be used as a security key to log into websites—only Google’s, and only via Chrome for now, but hopefully more sites and browsers will soon support the feature. This is a convenient two-factor authentication method, since most folks have their Android phones or tablets handy even when browsing on a desktop, and it alleviates the need for dealing with other hardware tokens or authentication apps.
This new feature is a result of Android recently receiving FIDO2 and WebAuth certification. We have a quick explainer if you’re curious how the technology works, but the elevator pitch is that your Android phone communicates with Chrome to verify your identity and the legitimacy of the website you’re signing into. The two devices check that:
- You’re in the same location as the device you’re signing into via Bluetooth and Location data
- The site you’re logging into is secure and authentic (rather than a fake login page trying to phish your password)
How to use your Android smartphone as a security key
What you’ll need
To add your smartphone as security key, look for the “Add security key” link in the Security Key section of the Two-Step Verification page if you’ve previously used a security key, or the “Set up alternative second step” section lower on the page if you have not. You’ll be prompted to pick your Security Key (your smartphone), and you’ll only have to walk through a short prompt to enable this feature for your account.
Signing in with your smartphone
Now you can use your Android device to authenticate your Google sign-ins. Here’s how that works:
- Make sure Bluetooth and Location are enabled on your Android phone.
- When you sign into a Google service, such as Gmail, YouTube, Chrome, or Drive, you’ll get a prompt in the browser to unlock your phone and follow the instructions to confirm the sign-in.
- Tap “Yes” on your phone, then wait for the authentication process to complete. (If you’re using a Pixel 3 or Pixel 3 XL, you can also press the volume down button to authenticate the request.)