back to article When is a phone not a phone? When it's an Android security key

People with suitably modern Android phones can now use their handsets as a hardware security key to safeguard both their Google Accounts and Google Cloud accounts. The ads and compute-time rental biz announced the change at Google Cloud Next '19 in San Francisco, in conjunction with some hand waving about a variety of other …

  1. JohnFen Silver badge

    Nope

    That's a hard no for me. I don't trust Google nearly enough to be OK with that.

    1. Colin Ritman
      FAIL

      Re: Nope

      Clearly you are having trouble understanding what this is, and just jumped to the idiot kneejerk reaction.

      To assist idiots here are some important bullet points, I will try and keep them short to not over fill their simple minds.

      1/ It's a one time code.

      2/ it uses independent secure protocol called FIDO (https://fidoalliance.org)

      3/ it's substantially more secure than SMS

      4/ Most idiots still don't use and second factor

      1. AMBxx Silver badge

        Re: Nope

        5/ Google will get bored of it and drop it in a year or so

        1. This post has been deleted by a moderator

          1. AMBxx Silver badge
            Trollface

            Re: Nope

            Looks like Colin got out of bed on the wrong side this morning.

            If you believe you know more than everyone else on here, then explain it clearly in a non-patronising way.

          2. Anonymous Coward
            Anonymous Coward

            Re: Nope

            > Another retard.

            "Youtube comments" is this way ---------->

      2. JohnFen Silver badge

        Re: Nope

        I understand it just fine, thanks.

        1. AMBxx Silver badge

          Re: Nope

          Sorry, I was wrong - from his profile, it looks like Colin's like this all the time.

  2. Anonymous Coward
    Anonymous Coward

    Suits me

    "People with suitably modern Android phones can now use their handsets as a hardware security key to safeguard both their Google Accounts and Google Cloud accounts."

    How about an suitably modern Android OS that safeguards users from Google?

    https://www.lineageos.org/

    1. adnim Silver badge

      Re: Suits me

      :-)

      yup Google is good for search. Nothing else they have interests me. My 5 year old phone runs Lineage and I have a huge hosts file. And I still don't trust it with information I do not want to be shared with second parties, never mind third parties. Go ahead and laugh at me for being paranoid.

      When is a phone not a phone? It is always a phone, its just a spying device too.

  3. Anonymous Coward
    Anonymous Coward

    How on earth can an systematically unpatched OS serve as security key? Somebody please explain.

    (The fact there is a happy 1% still getting updates for 3 years old kit doesn't change the fact most people don't.)

    1. Colin Ritman
      FAIL

      Wondering where you got your 1% number from, or did you pull it out your arse?

      I guess you just took the full version Android adoption rates and assumed that the full picture, when its obviously not the full picture, as Android 6,7,8 and 9 are patched every month with the same security fixes, meaning, unlike iOS (which only patches the latest), Android gets patches regardless of latest version uptake, and this number is not reported in an easy way for clickbait hacks to throw together sensational "news".

      I'm going to pull a number out my arse, and say 60% of Android devices launched in the last couple of years are running a patch version from 2019... If you cut out the budget sub £100 tat, that number would be closer to 80% given pretty much every OEM has signed support agreements with Google for releasing patches within 180 days if they want to include Google play services on their kit.

      Still nice try numpty.

      1. AMBxx Silver badge

        Rubbish - that's all dependent upon the device manufacturer. Try a Blackberry Android and see how you get on after 3 years.

      2. Anonymous Coward
        Anonymous Coward

        Numpty

        > unlike iOS (which only patches the latest),

        Yeah, that's because the latest version of iOS is on 80% of ALL iOS devices (as of Feb 2018), whereas the latest version of Android is only on 21.5% of devices.

        Even if you add up the percentages of Android devices on every version since v6, it still only accounts for 71% of devices.

        Poor try numpty.

      3. Flywheel Silver badge

        "Android 6,7,8 and 9 are patched every month with the same security fixes"

        Every month? Wow, my Moto G5, allegedly a modern phone, was last patched on December 1st 2018. The Kernel is from December 14th 2018.

        1. Anonymous Coward
          Anonymous Coward

          Then you need to speak to your carrier, as you should be running the Feb 2019 update...

          next time, if you really care about security updated, don't rely on your network being kind to you. #fail

          1. Cuddles Silver badge

            "Then you need to speak to your carrier, as you should be running the Feb 2019 update...

            next time, if you really care about security updated, don't rely on your network being kind to you. #fail"

            Why do you think a carrier should be involved at all? I have the same phone with the same patch. Lenovo made the phone, Lenovo issue the patches, and that's the most recent one that's available. No-one else is involved at any point, nor should they need to be.

            As for those suggesting LineageOS, that's a decent idea if you happen to be lucky enough to have a supported phone. However, given that not a single phone I've ever owned is supported that's a bit of a problem. That's including flagships from the likes of Samsung, Sony and HTC. Unfortunately, much as we like to mock Google for constantly dropping support for things, it's even more of a problem for free open-source things which rely entirely on some volunteer somewhere deciding to do the work. I love the idea of projects like LineageOS in principle, but in practice whether your phone is supported, and whether it will remain so a few months or years down the line, is basically a matter of random chance and the goodwill of strangers. Neither of those are great things to be basing your security on.

            1. Anonymous Coward
              Anonymous Coward

              Then you have a faulty phone. it should be running OPSS28.85-16-6 Feb 2019 patch.

              Why is any of this Google's fault?

              1. doublelayer Silver badge

                Why is any of this Google's fault?

                Because it's Google's platform. They decide all the specs, they write most of the code, and they have effective control over who can make devices and how by licensing Google Play Services which every manufacturer wants. This means that they have the potential to enforce security updates, or for that matter feature updates. A simple "if your device meets the spec for the feature update and was released less than [insert reasonable value] months before the release of that feature update, you must release a version of that update within two months of its release. If you don't, we will not license Google Play Services for your next generation of devices" would do the trick. It is entirely in their rights to decide not to care, but that also means we can complain about their choice not to do this. Their choice, ergo their responsibility.

      4. Anonymous Coward
        Anonymous Coward

        180

        "pretty much every OEM has signed support agreements with Google for releasing patches within 180 days"

        180 days!?? Jeezus! I thought waiting 180 minutes for the servers to become less busy after a new iOS release was long enough...!

        1. Anonymous Coward
          Anonymous Coward

          Re: 180

          The difference of course, is every iOS update takes 180 days after release to get rid of all the bugs, and then it's time for a new OS update that brings a huge slew of new bugs, and features to slow down your 2 year old device to a point where you seemingly want to buy another Apple product.

      5. Jamie Jones Silver badge

        I've got a lovely android-tv device, fitted with 512GB local storage, NFS, and 'airmouse' keyboard/mouse combo.

        I'm actually writing this on it now - from my sofa!

        It runs Android 5.1. I'd love to upgrade it.

        Despite it working perfectly - being powerful enough for me to run windowed apps (browsers, terminal emulators, x-client) and has hardware support for 1080p h264 etc. for my 100" screen, and audio data passthrough for my surround-sound setup, I did actually buy a more recent box to get a newer android version. But the new box is not as good, and it puts up a harder fight when I try to do lower level customisations.

        As I said, I'd love to upgrade it. Please tell me how.

      6. Anonymous Coward
        Anonymous Coward

        Android gets patches regardtless of latest version uptake...

        Tell that to my fully functional Android 4.2 tablet. You know, the last one with a proper tablet interface?

  4. Adam JC

    "We're essentially allowing multifactor authentication using your Android device as a security key, so you don't need a separate device," said Jennifer Lin, director of security for Google Cloud, at a press briefing on Tuesday."

    What the heck? I've been using Google Authenticator extensively for all of our 2FA stuff (Except for DuoSecurity for RDP) for years... is this is a new product, or are they just attempting to re-release the same thing under another name?

    1. AMBxx Silver badge

      It's the presence of the physical device or something rather than the code it generates.

    2. Anonymous Coward Silver badge

      It's sending the code over bluetooth automatically, rather than you having to type it in.

      i.e. the presence of the device is enough.

  5. EastFinchleyite

    "You owe your soul to the company store"

    "To turn their devices into key conveyors, Google account holders need an Android 7.0+ phone, with Bluetooth active, and a Bluetooth-enabled ChromeOS, macOS or Windows 10 computer running a Chrome browser. "

    I stopped at this point..

    (apologies to Tennessee Ernie Ford)

  6. JimmyPage Silver badge
    Linux

    Linux ???

    Did I miss any mention of it working on a Linux machine ?

    1. doublelayer Silver badge

      Re: Linux ???

      Unfortunately, the mention was purely implied and could best be stated outright as "It doesn't run on a Linux machine and we are not going to do anything to fix that". They probably don't want to waste the tiny amount of employee time it would take to have chrome on Linux properly interact with the various options for bluetooth controllers. They probably also are aware that Linux users are less likely to use Chrome directly, instead opting for Firefox or a derivative of Firefox or Chromium, none of which would support it. Finally, they've probably done the math and realized that Linux users are more likely to see that this isn't very new and could potentially be quite unwanted, so why bother? Sorry, you're out of luck.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020