Google is exploring employing Android and iOS devices as if they were physical security keys in an effort to combat phishing attacks. At Google I/O annual developer conference, the company announced to adopt functionality of security keys such as its own Titan Security Key into mobile devices, which will utilise Bluetooth to verify that they are in close proximity to the device the user wishes to log into.
“Like physical security keys, this helps prevent a distant attacker from tricking you into approving a sign-in on their browser, giving us an added layer of security against the kind of ‘person in the middle’ attacks that can still work against SMS or Google Prompt,” said Google engineer Daniel Margolis in a blog post.
The tech behemoth will also increase the types of Google Prompt challenges that users may encounter in the event of failed and/or suspicious login attempts. Consequently, a new Google Prompt challenge will require users to connect their mobile devices to the same Wi-Fi network as the device they are attempting to get into. Google also intends to strengthen phishing defences for its Google Suite services, such as Docs, Sheets, and Slides.
Google also stated that their new security push may not function everywhere, particularly on devices that lack Bluetooth or browsers that lack security keys. In order to prevent attackers from taking advantage of inaccessible security keys, the corporation reportedly provides backups.
“Over time, as FIDO2 authentication becomes more widely available, we expect to be able to make it the default for many of our users, and to rely on stronger versions of our existing challenges to provide secure fallbacks,” Daniel adds.
Google stated that phishing attacks have long been viewed as a persistent threat, but current breakthroughs provide them with the capacity to help more of their users remain safe online.