Phishing—when an attacker tries to trick you into turning over your online credentials—is the most common cause of security breaches. Preventing phishing attacks can be a major challenge for personal and business users alike. At Google, we automatically block the overwhelming majority of malicious sign-in attempts (even if an attacker has your username or password), but an additional layer of protection can be helpful.
Two-step verification (or 2SV) makes it even harder for attackers to gain access to your accounts by adding one more step to the sign-in process. While any form of 2SV, like SMS text message codes and push notifications, improves the security of your account, sophisticated attackers can skirt around them by targeting you with a fake sign-in page to steal your credentials.
We consider security keys based on FIDO standards, like our Titan Security Key, to be the strongest, most phishing-resistant method of 2SV on the market today. These physical security keys protect your account from phishers by requiring you to tap your key during suspicious or unrecognized sign-in attempts.
Now, you have one more option—and it’s already in your pocket. Starting today in beta, your phone can be your security key—it’s built into devices running Android 7.0+. This makes it easier and more convenient for you to unlock this powerful protection, without having to carry around additional security keys. Use it to protect your personal Google Account, as well as your Google Cloud Accounts at work. We also recommend it for people in our Advanced Protection Program—like journalists, activists, business leaders and political campaign teams who are most at risk of targeted online attacks.
To activate your phone’s built-in security key, all you need is an Android 7.0+ phone and a Bluetooth-enabled Chrome OS, macOS X or Windows 10 computer with a Chrome browser. Here’s how to do it:
- Add your Google Account to your Android phone.
- Make sure you’re enrolled in 2SV.
- On your computer, visit the 2SV settings and click “Add security key”.
- Choose your Android phone from the list of available devices—and you’re done!
When signing in, make sure Bluetooth is turned on on your phone and the device you are signing in on.
We recommend registering a backup security key to your account and keeping it in a safe place, so you can get into your account if you lose your phone. You can get a security key from a number of vendors, including our own Titan Security Key.
Here’s to stronger account security—right in your pocket.
Now, your phone running Android 7+ can be your security key, protecting you against phishing. Use it to protect your personal and work Google Accounts.