Google rolls out updates for iOS apps and online services to support WebAuthn-capable security keys

News by Andrew McCorkell

Two of the world’s biggest tech giants collaborate to support hardware security keys and devices that generate unique cryptographic keys.

A raft of new security choices has been released by Google to allow hardware security keys and devices to authenticate by generating unique cryptographic keys.

The updates mean it should now be possible to sign in by tapping a key to the back of an iPhone, using protocols from near-field communication.

It also means that security keys can be linked to a device where login is through USB, Lightning, or Bluetooth connections.

They can be used as a second proof during an authentication process after users have successfully entered their username and password.

Jake Moore, cybersecurity specialist at ESET: “Security keys are simply a fantastic way of authenticating a user and placing iron-clad security on accounts which may be susceptible to phishing and other forms of attacks.

"Security keys usually work remarkably well and quickly, but in the past some have not been so efficient, making users fall back to their previous ways and bypassing their functionality."

iOS devices have supported security keys for some time, with users able to pair security keys with their iPhones to secure accounts with both a password and a cryptographic signature generated on the security key.

New security options

  • USB-A and Bluetooth Titan Security Keys have NFC functionality built-in, allowing tap in via key to the back of an iPhone when prompted at sign-in.
  • Lightning security key like the YubiKey 5Ci or any USB security key with an Apple Lightning to USB Camera Adapter.
  • Use a USB-C security key connected directly to an iOS device that has a USB-C port (like an iPad Pro).

Google recommends installing the Smart Lock app to use Bluetooth security keys and a phone’s built-in security key, which allows the use of an iPhone as an additional security key for a Google account.

The owners of Apple products can now use Titan Security Keys to thwart phishing and threats via Google accounts.

Moore added: “With Google and Apple working in unison, they will soon make users understand the seriousness and security potentials on offer. We know that most users favour convenience over security so anything that makes the user experience easier makes the online."

Google made the announcement as part of its Advanced Protection Program in a blog post - to protect people at risk of targeted malicious software attacks.

The post said: “… we’re rolling out a change that enables native support for the W3C WebAuthn implementation for Google Accounts on Apple devices running iOS 13.3 and above.

"This capability, available for both personal and work Google Accounts, simplifies your security key experience on compatible iOS devices and allows you to use more types of security keys for your Google Account and the Advanced Protection Program."

Back in January, Google’s Advanced Protection Program team confirmed that both iPhones and Android devices could be used as security keys to access accounts.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews