All about Android's new, safer way of logging into apps

Google added support for wireless U2F cards in a developer version of Google Authenticator back in December. There was an unofficial demo at the Github website that showed how it would work (but it didn't actually work) and the folks at Fidesmo, a company that sells U2F cards, found the APIs buried in the Google Authenticator app. We knew that something would be happening and we just needed to wait for it.

The authentication itself is done in the Google Authenticator app so it's easier on developers who want to use the feature.

Well, such support has now been expanded, and you can use a wireless security key as a two-factor token when you add your Google account to a phone and U2F works in the Chrome browser independently even without the Google Authenticator app installed. This is a pretty cool thing!

And the way Google is handling it all is pretty cool, too, especially for developers. Rather than have a set of APIs that developers need to use to let users log into their apps and services with a wireless key, the routine is an intent built into the Google Authenticator app. All a developer needs to do is ask for the two-factor token and the Android system takes care of the rest. That means there is no waiting for developers to support anything and it will just work. It doesn't look like the APIs to use the wireless signal for authentication have been opened up for other developers just yet, but we hope that's in the works so apps like Authy will be able to support the feature, too.

What are you talking about?

These. A U2F key is a USB device that can be used as an authentication token. The name stands for Universal Two Factor because it's a standard that anyone making the keys and anyone making a thing that can use them to authenticate is able to incorporate so everything works everywhere. They are a secondary authentication method for people who use two-factor authentication on their accounts.

Read: Two-factor authentication: What you need to know

You should already have two-factor authentication set up on accounts that have the option. It's the easiest way to make sure that someone can't get in and use services in your name without your password and another thing that proves they are you, like a time-sensitive code sent to an app on your phone. A lot of services use two-factor authentication, and setting it up on your accounts will be slightly different for each service. But in the end, it means that when you want to login to something the first time from a new place or a new phone or computer, you need to provide something in addition to your password.

How to set up two-factor authentication on your Google account

Using a security key can be your main way to authenticate, but even if you would rather use an app or SMS it makes for a great backup in case you lose your phone and need to log in on a computer you've never used to change your password. Adding a security key to a Google account that uses two-factor authentication is easy.

Adding a USB security key to your Google account is easy — and here's how to do it

Once you have added a security key to your account, it works on Android as long as it is NFC or Bluetooth capable. We're not sure if there are any plans to enable U2F over the USB port, but at the time this was written that didn't seem to be supported. There are several different manufacturers of USB security keys that have a wireless option and they all should work the same as long as they use the U2F standard. The one we like and recommend is the YubiKey NEO.

It works as described here with U2F for your accounts, and it can also support OTP (One Time Password) for services that use it, like LastPass. And you can support both U2F and OTP at the same time by using a utility from YubiKey and these instructions.

See the YubiKey NEO at Amazon (opens in new tab)

Using an NFC or Bluetooth security key as your sole 2FA device on Android isn't recommended. It can be done, but there is no reason to not use authenticator tokens through an app, too. But it is a secondary way to have access to all of your 2FA protected accounts and it looks like it's going to be well supported on Android going forward.

Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.

  • Use a U2F authentication key as well as Google Authenticator as secondary steps along with password for my Google account login and my phone requires finger print/pin to unlock phone to access authenticator and restarting phone requires pin unlock initially.
  • 2FA is important, but using Bluetooth or NFC to access your 2nd factor seems like a dumb security trade-off, and a hassle too, as Bluetooth and NFC should be disabled whenever not in use.
  • The token generates a one time passcode and the NFC function just passes the code to your phone. So if someone intercepted a code, it was only good that one time. It's basically the workaround since it's hard to plug a USB A plug into your phone. That said, the app needs the ability to read the OTP off NFC. It works with Lastpass and Yubico's own authenticator app and supposedly if you use Chrome on your device, then websites that support it can also pick it up. Yubikeys also allow you to store the private key part of PGP so you can use it with your device to read encrypted emails sent to you via K-9 Mail or OpenKeyring bot of which reads the private key through NFC after entering the PIN# that protects your key. As for the safety of attacker would have to be right up against you and your phone has to be unlocked with the screen on. Otherwise, NFC is disabled when the phone screen is off. Bluetooth is another story.
  • Would it also support usb tokens? I know on the newer Macs with only USB-C that yubikey was suggesting a usb-usbc adapter, I'm curious if that, or an usb-otg adapter could make this work with a usb only 2fa token. Currently I use (currently unavailable) for everything that supports it. I guess it would probably be cheaper to get a nfc capable one,.. especially since there are some cheaper than the $50 yubikey neo available.
  • I don't think so. At least not yet. I couldn't find any evidence that it's reading anything through the USB port. But that's almost a no-brainer and hopefully, Google is going to address it. Tokens and OTPs via USB make a lot of sense when thinking about the way other things can connect via USB-C outside of the 2Fa space, too. I'd love to be able to authenticate that an airport phone charger is legit, for example.
  • I know that OpenKeychain has some basic support for PGP encryption over both USB and NFC. If they can do it then Google can :)
  • The update on 2/7/17 seems to be "almost" working. If OpenPGP gets it sorted Google can just use their implementation :)
  • Jerry, silly question; f I buy a Huawei phone here in Canada or the US, should I be concerned about my security and or privacy due to it running Android M and having a 2016 security patch? The hardware and software is really nice, I just don't know if people should mainly buy phones with 2017 patches exclusively or if phones still running Marshmallow are totally fine in terms of security. Thanks for any feedback you can provide. :)
  • Unfortunately, their more recent Yubikey 4 doesn't have any bluetooth or NFC. I had to get that one, because the previous model only support keys up to 2048 bits, while the new one goes up to 4096 bits. Hopefully they'll readd those features in the next model.
  • One trick though is that for the Yubikey NEO to work with U2F over NFC is that it needs to have firmware version 3.4 or higher, which is any key manufactured in the two years, from February 2015. Older ones don't support it and cannot be upgraded.
  • sadly i still dont think this allows me to use my NFC implant for 2FA
  • Even without knowing what NFC implant you have I'd say no. It does not support that. Check out VivoKey, they'll support that and they're soft launching later this year I think