Use an Android phone as a security key for 2-Step Verification

What’s changing

Google is adding an option to use your Android phone’s built-in security key for multi-factor authentication in G Suite. All phones running Android 7.0+ (Nougat) have a built-in key which can be activated. This means your users can use existing phones as a primary 2-Step Verification method to protect against phishing. Using a phone as a security key is currently offered in beta.

Who’s impacted

Admins and end users

Why you’d use it

2-Step Verification greatly improves the security of your account by adding another layer to your account security and making it more resistant to phishing attacks. By adding the additional option of using your Android phone’s built-in security key, they’re expanding access to phishing-resistant 2-Step Verification method in a convenient form – your phone. This can make it faster for you to implement 2-Step Verification in your organization while keeping user training and overall costs to a minimum.

Previously, in order to protect your users against password phishing, the only option was to use a security key fob. With this beta, their mobile phone can be that security key.

How to get started

Additional details

  • Available to G Suite, Cloud Identity, GCP customers, and personal Google Accounts.
  • Available on phones running Android 7.0+ (Nougat) with Google Play Services.
  • Compatible with Bluetooth-enabled Chrome OS, macOS X, or Windows 10 devices with a Chrome browser.
2-Step Verification on a Pixel 3 

Helpful links

Availability

Rollout details

G Suite editions 

  • Available to all G Suite editions in beta.

On/off by default? 

  • If 2-Step Verification or Security Key Enforcement is turned on for an organization, Android phone will be available as an option for security keys by default.