Security news that informs and inspires

Google Adds WebAuthn Support for Security Keys on iOS

Hardware-based multifactor authentication is becoming more and more prevalent, both in the enterprise and for individual users, but it’s still somewhat difficult to deploy for mobile devices. The limited form factors and input options on mobile devices makes using hardware security keys for 2FA somewhat difficult, but Google is making a move to simplify that process for people enrolled in its Advanced Protection Program (APP).

That program is Google’s top tier of protection for Gmail and other Google services, and one of the elements it includes is the use of Titan hardware security keys as a second factor of authentication. People enrolled in the program get both a USB-A and a Bluetooth security key, the former is mainly use on laptops and desktops, while the latter is meant for use on mobile devices.

But Google is making a change that makes it simpler for people to use the USB-A key on their mobile devices, as well.

“Starting today, we’re rolling out a change that enables native support for the W3C WebAuthn implementation for Google Accounts on Apple devices running iOS 13.3 and above. This capability, available for both personal and work Google Accounts, simplifies your security key experience on compatible iOS devices and allows you to use more types of security keys for your Google Account and the Advanced Protection Program,” Christiaan Brand, a product manager for Google Cloud, said.

Although the USB-A Titan key is designed specifically to work with the Google Advanced Protection Program, there are other similar keys that also support WebAuthn and could be used with iOS devices. For example, Yubico’s YubiKey 5Ci has the same capability and works with iOS, as does tieh open-source SoloKey Tap. WebAuthn is an emerging standard that enables developers to add support for strong authentication to web applications. It is relatively young, but it has been adopted in a number of key places, including most of the major browsers.

The use of hardware security keys as a second factor is one of the most effective ways to defend against account takeovers, as even an attacker who has a victim’s username and password would not be able to login to the victim’s Google account without the key.

“We highly recommend users at a higher risk of targeted attacks to get security keys (such as Titan Security Key or your Android or iOS phone) and enroll into the Advanced Protection Program,” Brand said.