Google announced today that Apple devices running iOS 13.3 and above can natively support web authentication (WebA6n) with Google Accounts, improving the security key experience on iOS devices and allowing Google Accounts and Google Advanced Protection Program to use more security key types.
With this update, iOS users will be able to log in to their iPhone using Google Titan Security Keys with NFC and secure ACCESS to NFC on the back of the body.
If you have an Apple Lightning to USB Camera Adapter, your Google account can use a Lightning or USB security key like YubiKey 5Ci. The security key for the USB-C port can be plugged directly into an iOS device, such as the iPad Pro, via the USB-C port.
Google recommends that users install the Smart Lock app to use the Bluetooth security key or the iPhone’s built-in security key to provide additional security for the Google Account on the iPhone. Google also recommends that target users with high risk of attacks use security keys as much as possible, and join Google’s Advanced Protection Program to provide additional account protection with physical security keys.
Using a physical security key provides more protection than two-factor authentication because it requires that you have a physical key (or an iPhone key using a smart lock app) to log in to a Google account, not just digitally generated code.
WebAuthn was announced by the W3C and Fido Alliance in November 2015 and is now an open standard for online password-free logins. It is supported by W3C contributors including Airbnb, Alibaba, Apple, Google, IBM, Intel, Microsoft, Mozilla, PayPal, SoftBank, Tencent and Yubico. In March 2019, the Web Authentication API (WebAuthn) is now the official Web standard.
The specification allows users to log into online accounts using biometrics, mobile devices, and/or FIDO security keys. Android and Windows 10 already support WebAuthn. On the browser front, Google Chrome, Mozilla Firefox and Microsoft Edge all started supporting WebAuthn last year. Since December, Apple has supported WebAuthn in Safari’s preview.
“It’s time for Web services and businesses to adopt WebAuthn to move beyond vulnerable passwords and help Web users improve the security of their online experience,” W3C CEO Jeff Jaff said in a statement. The W3C standard establishes Web-wide interoperability guidance that sets consistent expectations for Web users and the sites they visit. W3C is working to implement this best practice on its own site. “