To stop hackers from breaking into online accounts, Google is going to start using the Bluetooth functionality on user smartphones to verify that a login is legit.
The company announced the effort at Google I/O on Wednesday, citing the threat of more advanced phishing attacks from hackers.
To stop such attempts, you can set up two-factor authentication over an online account. This requires anyone logging in to supply both the correct password and a one-time passcode, which is usually generated over the user’s smartphone.
However, Google says more hackers are coming up with ways to beat such two-factor authentication systems. In some cases, the culprits will try to trick users into handing over the one-time passcode by sending a fake text message from the account provider, such as Google.
In other cases, the attacker will send the user a fake website that’s capable of stealing and then re-using the login credentials —including the two-factor code— from a victim in real time.
“In these attacks, a user thinks they’re logging into the intended site, just as in a standard phishing attack,” Google wrote in a blog post. “But instead of deploying a simple static phishing page that saves the victim’s email and password when the victim tries to login, the phisher has deployed a web service that logs into the actual website at the same time the user is falling for the phishing page.”
These phishing attempts underscore a vulnerability with traditional two-factor authentication systems: A savvy hacker can still remotely trick the victim into solving any authentication challenge during the login process.
In response, Google says it’s come up with a promising solution, which requires anyone logging in to your online account to be physically close to the computer. To pull this off, the company is going to tap the Bluetooth functionality on the user’s smartphone to authenticate the sign-in request.
To be clear, this login method is different from simply generating a prompt on your smartphone to verify the login. “We use Bluetooth to ensure your phone is close to the device you’re logging into,” Google said. “Like physical security keys, this helps prevent a distant attacker from tricking you into approving a sign-in on their browser, giving us an added layer of security against the kind of ‘person in the middle’ attacks that can still work against SMS or Google Prompt,” the company said.
The company actually debuted the technology back in 2019 as a more secure way to login to your Google account. The system uses the FIDO 2 standard and stores a cryptographic key on your phone, which can be used to sign authentication requests over Bluetooth to unlock the designated online account. No cryptographic data is ever transmitted from your phone to the computer, making it resistant to phishing attacks.
Google previously made the system opt-in. But now the company plans on using the Bluetooth authentication method more widely to foil suspected phishing attempts.
Recommended by Our Editors
“Over the next couple of months we’ll be rolling out this technology in more places, which you might notice as a request for you to enable Bluetooth while logging in, so we can perform this additional security check,” the company wrote.
On the down side, the authentication system only works on computers that support Bluetooth and browsers that support the FIDO 2 standard. As an alternative, Google has begun experimenting with asking users to join their phone to the same Wi-Fi network as the computer they’re logging into to verify that a sign-in is legit.
“Of course, while all of these options dramatically increase account security, we also know that they can be a challenge for some of our users, which is why we’re rolling them out gradually, as part of a risk-based approach that also focuses on usability,” the company added. “If we think an account is at a higher risk, or if we see abnormal behavior, we’re more likely to use these additional security measures.”
Still, over time, Google plans on phasing out traditional login methods. Instead, the company is joining Apple and Microsoft in adopting a new login system that relies on user smartphones or laptops to authenticate the sign-ins through Bluetooth.
“Phishing attacks have long been seen as a persistent threat, but these recent developments give us the ability to really move the needle and help more of our users stay safer online,” Google added.
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.