Google has updated its Smart Lock app for iOS with a feature that essentially replaces physical security key with an actual mobile device.
Android users have had this features, and has enjoyed the easiness of signing in to Google safely without the gimmick. With the update for the iOS app, the Smart Lock app note reads: “With this new update, you can now set up your phone’s built-in security key, the best second factor protection for your Google Account.”
What this means, iOS users too can enjoy this security feature on their iPhone or iPad.
It works pretty much like two-factor authentication, but without having to receive a text message. So when users sign in to Google on a new device or another device, they will receive a notification on their registered iOS iPhone. They can then hit that button inside the app for confirm.
They can also deny to cancel the login, just as easily.
To make this happen, according to a Google cryptographer, is to make the Smart Lock app to run on the Secure Enclave, a separate processor inside most iPhones that handles biometric information such as TouchID or FaceID.
The feature was first introduced with the iPhone 5S, and Google’s app says that it requires iOS 10 or later to function.
Previously, if users wanted to securely sign in into their Google accounts from an iPhone, they had to use a physical key or an Android phone.
With the update, iPhone users essentially become part of Google’s Advanced Protection Program, which is Googles security program for those who are at risk of online breach, such as high-profile figures, politicians or journalists, without having to purchase separate security keys.
While Google's Advanced Protection Program and the updated Smart Lock app should ensure that Google users on iOS can benefit from Google security, the two won't be able to stop physical access to users devices.
Nevertheless, the upgrade is worthy.
To use this security feature from Google, iOS users need to first download the Google Smart Lock app from Apple's App Store, or download the newest version of the app.
After that, they need to allow the app to access their device's Bluetooth and Notifications.
To activate the security key, users can simply press a button within the Smart Lock app, and agree to make their mobile device the security key for Google. Users can find it among the list of options available to them on their two-factor authentication settings.
Once the setup finishes, users can simply sign in to their Google accounts from any device, and the Smart Lock app will show a notification alert that asks the user to confirm that it is them that is trying to sign in.
The Smart Lock app has one smart feature that tries to detect the device users is trying to sign in using Bluetooth, rather via the internet. If it doesn't detect that the device is nearby, the app will suggest the user to quickly change their password as someone else is trying to access their account.
It should be noted that users don't need to do this for “Trusted” devices. If a device Google knows the device that the users are trying to sign in with, like users usual phone or computer, the app won't notify any alert.
If users want to revoke access for Trusted devices, they can do this from the two-factor authentication settings on their Google account.
The downside is that, user needs to have their phone in close proximity to the device they are trying to sign in with Google.
While this provides security, the app however, doesn't ask for biometric authentication. What this means, if the phone is at someone else's hands and unlocked, the person could theoretically open the app and authenticate.
Another downside is the Smart Lock app is initially limited to authenticating Google sign ins from Chrome browser.
When attempting to authenticate using Safari, for example, users are still prompted to insert their physical security key. What this means, at its initial update, the Smart Lock app for iOS is still very limited. Users may want to create an extra step for their sign in process, or choose another alternative for two-factor authentication.