Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security Google IOS Iphone Technology

Google Expands Android's Built-in Security Key To iOS Devices (zdnet.com) 39

An anonymous reader shares a report: In April, Google announced a groundbreaking technology that could allow Android users to use their smartphones as hardware security keys whenever logging into Google accounts on their laptops or work PCs. Initially, the technology was made available for Chrome OS, macOS, and Windows 10 devices. Today, Google announced it is expanding this technology to iOS as well. Today's news means that iPhone and iPad users can now use their (secondary) Android smartphones as a security key whenever logging into their Google accounts on an iOS device. The technology works basically the same, as Google explained in April, at the Cloud Next 2019 conference.
This discussion has been archived. No new comments can be posted.

Google Expands Android's Built-in Security Key To iOS Devices

Comments Filter:
  • by sinij ( 911942 ) on Wednesday June 12, 2019 @01:34PM (#58750892)
    Android use of hardware-backed keystore to implement FIDO is a useful feature, but it also raises numerous privacy concerns. The use of key, by definition, is both unique and definitively tied to user's identity. In effect it is also "super-cookie" baked deep into hardware that Google under FIDO/CTAP scheme can access at any time.
    • That's a great point, but that's true of a security token as well.

    • Android use of hardware-backed keystore to implement FIDO is a useful feature, but it also raises numerous privacy concerns. The use of key, by definition, is both unique and definitively tied to user's identity. In effect it is also "super-cookie" baked deep into hardware that Google under FIDO/CTAP scheme can access at any time.

      It's not a super-cookie baked into hardware, because the keys used for FIDO are generated on-device, per application.

      There is a key that is baked into the hardware, but it's not device-unique. This is the Android Keystore attestation key (Note: I'm the primary author of Android keystore, and the designer and implementer of the attestation scheme), and it's not a device-unique identifier because it's required that the same key be used on a large batch of devices. The Compliance Definition Document requi [android.com]

      • Note: I'm the primary author of Android keystore, and the designer and implementer of the attestation scheme

        Sorry for replying to myself, but I have to make one disclaimer here. I disclaim responsibility for the horrible Android Keystore API. The engineer who wrote the original incarnation of Keystore decided to use the Java Crypto API as its interface. I see lots of valid reasons for making that particular choice, and I don't think it was a bad one within the constraints and the context. I'd probably have done the same thing. However, the Java Crypto API is awful, among the worst crypto APIs I've ever seen,

      • by Anonymous Coward

        How does it feel to be working for one of the most evil companies in the world? Do you even know you are doing evil things? What happened to your soul?

        Do you really think it is okay for your shit company to store everything about everyone?

        numbnuts

        • How does it feel to be working for one of the most evil companies in the world?

          What you think you know about Google is wrong. I know the truth of what Google is and does.

  • Methinks google is smarting from Apple One Button login changes taking away their ability to monetize your information on iOS.

  • I have an app like that already that works with my Google account, Duo tokens, Github and more. There are literally dozens of apps like that on the app store.

    • by Anonymous Coward

      Yeah, it's basically google trying to draw an artificial distinction between One Time Password [wikipedia.org] and some sort of FIDO key emulation. They possibly think it's backed by some hardware security module, but how would you know?

      Of course, it's possible to emulate a FIDO key in software. (you didn't realize that, people?)

      In Microsoft-land, we've had the Microsoft Authenticator app on iOS and Android for ages. It supports both Time Based One Time Password codes *and* it has its own direct connection to Microsoft'

The truth of a proposition has nothing to do with its credibility. And vice versa.

Working...