Today, Google started rolling out an update to its iOS apps and online services that adds support for WebAuthn-capable security keys.
Hardware security keys are devices that generate unique cryptographic keys that are used as a second proof during an authentication process after users have successfully entered their username and password.
Security keys can be linked to the device where the login operation takes place via Bluetooth, USB, or Lightning connections.
iOS devices have supported security keys since their early beginnings, and users have been able to pair security keys with their iPhones to secure accounts with both a password and a cryptographic signature generated on the security key.
However, using a hardware security key to access a Google account or app on iOS has not been straightforward, support has been sparse, and for an older generation of security keys.
Today, Google has updated its support for security keys on iOS. The company rolled out an update that allows users to use security keys via W3C WebAuthn, today’s most advanced standard for passwordless authentication.
Starting today, owners of iOS devices running iOS 13.3 or later can configure more types of security keys as the second factor (2FA/2SV) for their Google account.
Once configured, they’ll be able to verify their identity and log into Google’s iOS apps and Google-owned websites via the Safari browser using a modern security key. This includes:
- USB-A and Bluetooth Titan Security Keys, which have NFC functionality built-in. This allows iOS users to tap the Titan key to the back of an iPhone when prompted during the login operation into a Google website or Google iOS app.
- Lightning security keys like the YubiKey 5Ci or any USB security key, if the user has an Apple Lightning to USB Camera Adapter.
- Any USB-C security keys, if an iOS device has a USB-C port (such as an iPad Pro).
- The iPhone itself thanks to its built-in T1 chip. (Google suggests installing the Smart Lock app in order to use the phone’s built-in security key, or any other Bluetooth security key.)
Security key vendor Yubico welcomed Google’s update today in a blog post. The company highlighted the importance of this update to iOS users, who will now be able to better protect their accounts against hackers who compromised Google account passwords.
The move is especially important for Google’s enterprise users — namely its G Suite userbase. Enterprise users are often iOS users, and having the ability to protect high-value Google accounts on iOS devices via a security key will boost security practices for many companies.
The move is also crucial for home consumers, who will be able to protect personal Gmail, Photos, Drive, or YouTube accounts using the latest generations of security keys.