Categories
Security

Update Now: New Mac Vulnerability Allows Apps to Spy On You

Microsoft is warning Mac users to update to the latest version of MacOS Monterey after it found a vulnerability in Apple’s Transparency, Consent, and Control (TCC) feature.

Exploiting this vulnerability could allow malicious actors to spoof the TCC and plant malware or hijack another app on the computer.

Introduced in 2012 with MacOS Mountain Lion, TCC is designed to help control an app’s access to things such as the camera, microphone, and data. When an app requests access to protected data, the request is compared to existing stored records in a special database. If the records exist, then the app is denied or approved access based on a flag that denotes the level of access.

Otherwise, a prompt is shown to the user to explicitly grant or deny access. Once the user responds, that request is stored in the database and future requests will follow the user’s previous input.

According to Microsoft, the “powerdir” vulnerability, also known as CVE-2021-30970, was actually exploited two times by their security researchers. The first “proof of concept” exploit basically planted a fake TCC database file and changed the user’s home directory.

By doing this, Microsoft was able to change the settings on any application or enable access to the microphone or camera. Microsoft was even cheekily able to give Teams mic and camera access. Microsoft reported these initial findings to Apple in July 2021, though the exploit apparently still worked, despite Apple fixing a similar exploit demonstrated at Black Hat 2021.

The second proof of concept exploit came about because a change in MacOS Monterey’s dsimport tool broke the first exploit. This new exploit allows an attacker to use code injection to change binary called /usr/libexec/configd. This binary is responsible for making system level configuration changes, including access to the TCC database. This allowed Microsoft to silently change the home directory and execute the same kind of attack as the first exploit.

Fortunately, Microsoft again notified Apple of the vulnerability, and it was patched last month. Microsoft is urging macOS users to ensure that their version of MacOS Monterey is updated with the latest patch. The company also took time to promote its own Defender for Endpoint enterprise security solution, which was able to prevent those exploits even before Apple patched them.

There have been previous TCC exploits, including one that utilizes Apple’s built in Time Machine utility, that have since been patched as well. It’s always highly advised to keep all of your devices updated with the latest patches to prevent possible exploits like this. Feel free to read the details of Microsoft’s TCC exploits on their security blog post.

Editors’ Choice




Repost: Original Source and Author Link

Categories
Security

Seven teenagers arrested in connection with the Lapsus$ hacking group

City of London Police have arrested seven teenagers due to their suspected connections with a hacking group that is believed to be the recently prolific Lapsus$ group, BBC News reports.

“The City of London Police has been conducting an investigation with its partners into members of a hacking group,” Detective Inspector Michael O’Sullivan of the City of London Police said in a statement to The Verge. “Seven people between the ages of 16 and 21 have been arrested in connection with this investigation and have all been released under investigation. Our enquiries remain ongoing.”

Lapsus$ has taken responsibility for some major security breaches at tech companies, including Nvidia, Samsung, Ubisoft, Okta, and Microsoft. On Wednesday, reports surfaced indicating an Oxford-based teenager is the mastermind of the group. City of London Police did not say if this teenager was among those arrested.

At least one member of Lapsus$ was also apparently involved with a data breach at EA, cybersecurity expert Brian Krebs reported on Wednesday in an extensive article about the group. Vice corroborated the group’s involvement in that breach in its own article on Thursday, noting that it was “emblematic of Lapsus$’s subsequent and massive hacks.”

The suspected mastermind’s identity was apparently revealed by angry customers doxing him. According to Krebs’ report, the group’s leader purchased Doxbin, a site where people can share or find personal information on others, last year, but was a poor owner of the site. He apparently gave up control in January but leaked “the entire Doxbin data set” to Telegram, and the Doxbin community retaliated by doxing him.

BBC News says it spoke to the teenager’s father, who was apparently unaware of his involvement with the group. “I had never heard about any of this until recently. He’s never talked about any hacking, but he is very good on computers and spends a lot of time on the computer,” the father said, according to BBC News. “I always thought he was playing games. We’re going to try to stop him from going on computers.”

Update March 24th, 12:05PM ET: Added City of London Police statement and additional context about the group.

Repost: Original Source and Author Link

Categories
Security

This MacOS Trojan stealthily lifts your data, says Microsoft

You might think that your Mac is invulnerable to viruses and other security threats, but you might want to think again. As part of its commitment to intelligence sharing and collaboration, Microsoft recently exposed the evolution of a MacOS Trojan that can stealthily lift your personal data.

First spotted in September 2020, Microsoft says this piece of malware, known as UpdateAgent,  has increasingly progressed to “sophisticated capabilities.” Though it also indicated that the latest two versions are still more “refined,” Microsoft does warn that the malware is again being developed, and more updates could come soon.

It is so bad, that Microsoft believes this malware can be leveraged to fetch more dangerous payloads beyond just the adware that it is already injecting into victim machines.

But how does it work? Per Microsoft, the UpdateAgent malware can impersonate real software, and then take Mac functionalities under its own control. It is usually first installed to victim Macs by automated downloads without a user’s consent, or advertisement pop-ups, which impersonate video applications and support agents. UpdateAgent can even bypass Gatekeeper, which usually makes sure that only trusted apps can run on Macs. The Malware then takes over a machine and performs malicious acts like injecting adware.

Microsoft worked with Amazon Web Services to pull the URLs used by UpdateAgent to inject adware, but the UpdateAgent campaign has steadily evolved. It went from basic information stealer in December 2020, to the ability to fetch and deliver .DMG files in February 2021, to being able to fetch and deliver .ZIP files in March 2021.

Later in August, the malware expanded its reconnaissance function to scan and collect System_profile and SPHardwaretype information from victim machines. At its worst point in August, the malware even used permissions and wrote its own code to trick Gatekeeper into thinking it’s not even there.

“UpdateAgent is uniquely characterized by its gradual upgrading of persistence techniques, a key feature that indicates this trojan will likely continue to use more sophisticated techniques in future campaigns,” Microsoft said Microsoft.

Microsoft wasn’t clear which versions of MacOS are impacted by UpdateAgent, but it did have some advice that goes beyond using antivirus software. It pointed to using the Microsoft Edge browser, which can block and scan for malicious websites. Other tips include restricting access to privileged resources, installing apps only from the app store, and running the latest versions of MacOS and other applications.

Editors’ Choice




Repost: Original Source and Author Link

Categories
Security

Russian military reportedly hacked into European satellites at start of Ukraine war

American government officials told The Washington Post that the Russian military was responsible for a cyberattack on a European satellite internet service that affected Ukrainian military communications in late February.

The hack affected the KA-SAT satellite broadband network, owned by Viasat, an American satellite communications company. On February 24th, the day the Russian invasion of Ukraine began, the KA-SAT network was hit by outages that affected Ukraine and surrounding regions in Europe. A few days afterward, Viasat blamed outages on a “cyber event,” but did not release further details.

Though Ukrainian officials have not fully disclosed the impact, the outage is believed to have caused significant communications disruptions at the beginning of the war.

The NSA was reported to be collaborating on an investigation with Ukrainian intelligence services, but no results have been officially announced. However, anonymous officials reportedly told the Post that US intelligence analysts have now concluded that Russian military hackers were behind the attack.

A request for confirmation sent by The Verge to the Cybersecurity and Infrastructure Security Agency (CISA) had not received a response by the time of publication.

Officials from Viasat told Air Force Magazine that the attack was conducted through a compromise of the system that manages customer satellite terminals, and only affected customers of the KA-SAT network, a smaller broadband provider that Viasat bought last year from French satellite operator Eutelsat.

At the outset of the conflict, commentators feared that Russia could launch widespread and destructive cyberattacks. While one perspective holds that such attacks have failed to materialize, the slow release of additional information gives credence to the suggestion that many attacks may have occurred in the shadows.

In the aftermath of the hack, CISA and the FBI issued a joint cybersecurity advisory to satellite communications providers, warning that the agencies were aware of possible threats to US and international networks, and advising companies to report any indications of malicious activity immediately.

As the war in Ukraine continues — and US opposition to Russia grows in the form of sanctions — the Biden administration has issued increasingly serious warnings about the possibility of Russian cyberattacks on US infrastructure.

On Monday, President Biden advised US businesses to take added precautions against hacking, citing “evolving intelligence” that Russia was preparing to target the US with cyberattacks. Then on Thursday, the Department of Justice unsealed indictments against four Russians accused of mounting state-sponsored cyberattacks against the US, publicly releasing details of a highly sophisticated hacking campaign involving supply-chain software compromises and spear-phishing campaigns against thousands of employees of companies and US government agencies.

Repost: Original Source and Author Link

Categories
Security

Unprecedented cyberattack takes Nvidia offline for two days

Nvidia announced that its network has been compromised, and the company is in the process of investigating a potential cybersecurity breach that took down the chipmaker’s systems over the last two days. The latest cybersecurity concern adds to Nvidia’s problems with chip shortages during the global pandemic, which have affected the entire semiconductor industry.

News of Nvidia’s compromised internal systems was initially reported by British publication The Telegraph, which noted that it was likely a cyberattack.

“We are investigating an incident,” Nvidia told the publication. “We don’t have any additional information to share at this time.”

According to the report, the company’s developer tools and email system were said to have suffered outages over the past two days, leading to speculation that Nvidia’s network may have suffered from a cyberattack. Other parts of Nvidia’s internal network may have been affected as well, with The Telegraph reporting that the company’s network was entirely compromised.

If accurate, this could mean that confidential and proprietary information may have been unlawfully accessed. Of concern is that a malicious attacker could have injected malware onto Nvidia’s systems. There is speculation that ransomware may have been installed on Nvidia’s servers, though this has not yet been confirmed by the company. It is also unclear at this point what, if any, data may have been improperly accessed or deleted from the company’s network.

The Telegraph did state that some email systems were up and running on Friday. Nvidia’s website and home page are currently up and running.

At this time, it’s unclear who initiated the cyberattack on Nvidia, but the report from The Telegraph speculates on the timing of the cyberattack, which lines up with the invasion of Ukraine by Russia. Ahead of the situation in Ukraine, the U.S. government had issued warnings to technology companies warning of potential cyberattacks, but there’s been no confirmation so far that this was a state-sponsored incident.

In addition to investigating the attack, VideoCardz reported that Nvidia now also has the daunting task of ensuring that its systems are clean and that malware doesn’t slip into software and products that are shipped to consumers, including the company’s graphics cards and chips for autonomous driving, servers, and supercomputers. It’s unclear how long Nvidia’s investigation will take and if law enforcement will ultimately step in.

Prior to the cyberattack, Nvidia was most recently in the news for abandoning its acquisition proposal for chipmaker ARM. Nvidia had initially proposed a $40 billion takeover of ARM from Japanese conglomerate SoftBank, but the deal ultimately fell through due to regulatory concerns.

Editors’ Choice




Repost: Original Source and Author Link

Categories
Security

FCC adds Kaspersky to its list of national security threats

The US Federal Communications Commission has added Russian cybersecurity company Kaspersky Lab to its list of entities that pose an “unacceptable risk to US national security,” according to a report from Bloomberg. This is the first time a Russian company has been added to the list, which is otherwise made up of Chinese companies, like Huawei and ZTE.

Businesses in the US are barred from using federal subsidies provided through the FCC’s Universal Service Fund to purchase any products or services from the companies on the list. In addition to Kaspersky, the FCC also added China Telecom and China Mobile International USA to its list on Friday.

“I am pleased that our national security agencies agreed with my assessment that China Mobile and China Telecom appeared to meet the threshold necessary to add these entities to our list,” FCC Chairwoman Jessica Rosenworcel in a press release (PDF). “Their addition, as well as Kaspersky Labs, will help secure our networks from threats posed by Chinese and Russian state backed entities seeking to engage in espionage and otherwise harm America’s interests.”

Kaspersky responded to the FCC’s move in a press release on its site, saying the agency’s decision was “made on political grounds” in light of Russia’s invasion of Ukraine, and that the company “remains ready to cooperate with US government agencies to address the FCC’s and any other regulatory agency’s concerns.”

In 2017, Russian intelligence allegedly used Kaspersky’s antivirus software to steal classified documents from the National Security Agency — a claim denied by the Moscow-based company. Later that year, Former President Donald Trump signed a bill banning the use of Kaspersky products by federal agencies after accusing the company of having ties to the Kremlin.

Repost: Original Source and Author Link

Categories
Security

Hackers stole top-secret GPU details — then Nvidia hit back

Following a cyberattack that took Nvidia’s systems offline for two days last week, the hacking group behind the initial breach has now revealed it has allegedly gained access to over 1TB of data from the tech giant.

When the attack was originally reported on Friday, there wasn’t too much information provided beyond the fact that Nvidia was “investigating an incident.” However, over the weekend, there were some extremely interesting developments pertaining to the situation, which includes purported retaliation by Nvidia.

Jacob Roach / Digital Trends

Cyber breach details reveal extent of hack

Firstly, ​​hacking group LAPSUS$ stated that the hack it carried out resulted in gaining entry to Nvidia’s servers for about an entire week. As a result of this unprecedented access, it says it was able to extract 1TB of data, including schematics, drivers, firmware, and more.

“We also have documentation, private tools and SDKs, and everything about falcon [microprocessors for NVIDIA GPUs based on a custom architecture], we know what is valuable,” the South American group explained on Telegram.

According to VideoCardz, the group has released the first batch of the leak. The publication’s sources indicate that the “partial data included in the package appears to match the claims.”

One important piece of data originating from the hack the group claims it now has in its possession is an LHR V2 bypass for GA102-GA104 GPUs. As reported by VideoCardz, that means LAPSUS$ located the main algorithm used to implement the cryptocurrency mining hash rate limiter that Nvidia applied to its RTX 30-series of graphics cards in 2021. It says it is currently selling the LHR V2 bypass, but added that the group hopes Nvidia removes it soon.

Most recently, a tool that was claimed to remove the mining limits imposed on various Nvidia GPUs was proven to be malware. But if these hackers’ assertion that they stole the algorithm behind the limiter is actually true, then a program to unlock full mining performance for some of the most popular video cards may very well materialize in the near future.

The Telegram posts detailing the Nvidia cyberattack.
Image source: VideoCardz

As detailed in its Telegram posts revealing the extent of the hack, the group said that in an effort to “help” the mining and gaming communities, it wants Nvidia to “push an update for all 30-series firmware that remove every LHR limitation.” If the company does not meet this specific demand, LAPSUS$ threatens to leak the “hw folder.”

Moreover, should Nvidia fail to contact the hackers, the group “will take actions.” While the exact motive behind the hack may potentially be related to extracting as much monetary value as it can, LAPSUS$ stresses the attack is not politically motivated, nor is it state-sponsored.

Nvidia fights back

In an interesting turn of events over the weekend, Nvidia has seemingly fought back by, well, hacking the hackers. According to a tweet from vx-underground, as reported by Kitguru, Team Green “performed a hack back” and subsequently “ransomed [the group’s] machines.” A statement from the group further elaborated on Nvidia’s actions, apparently confirming that the firm encrypted its hard drives. However, LAPSUS$ asserts it was able to generate a backup containing the breached data.

LAPSUS$ commented on Nvidia’s alleged counterattack in another Telegram post. Access to the GPU and chip manufacturer’s VPN required the PC “to be enrolled in MDM (Mobile Device Management).” Due to this method that was utilized by the hackers to initially infiltrate Nvidia’s systems, the firm was “able to connect to a VM [virtual machine] we use.”

“Yes they successfully encrypted the data. However we have a backup,” it added.

Either way, it’s unheard of for a company of Nvidia’s size to initiate its own counterassault of this nature, regardless of whether it was in the form of a hack or not.

As for Nvidia’s acknowledgement of the purported exploits, it confirmed it is “investigating an incident” on Friday. Beyond that admission, LAPSUS$ said the company “filed [an] abuse report.”

Elsewhere, as reported by Bloomberg, Nvidia said its “business and commercial activities continue uninterrupted. We are still working to evaluate the nature and scope of the event and don’t have any additional information to share at this time.” Additionally, a Bloomberg source familiar with the matter said the cyber breach “looks to be relatively minor and not fueled by geopolitical tensions.”

News of the cyberattack failed to negatively impact Nvidia’s stock prices. Instead, shares actually increased by 1.7% to $241.57 when the markets closed on Friday. That said, Bloomberg highlights how stocks for the chipmaker (with the company valued north of $600 billion) have been on a downward trend during 2022 thus far (by 18% to be exact).

The hack comes at a time when Nvidia’s proposed $66 billion acquisition of British chip designer ARM was officially canceled amid intense regulatory pressure from several governmental bodies.

Editors’ Choice






Repost: Original Source and Author Link

Categories
Security

Security experts fear the DMA will break WhatsApp encryption

On March 24th, EU governing bodies announced that they had reached a deal on the most sweeping legislation to target Big Tech in Europe, known as the Digital Markets Act (DMA). Seen as an ambitious law with far-reaching implications, the most eye-catching measure in the bill would require that every large tech company — defined as having a market capitalization of more than €75 billion and a user base of more than 45 million people in the EU — create products that are interoperable with smaller platforms. For messaging apps, that would mean letting end-to-end encrypted services like WhatsApp mingle with less secure protocols like SMS — which security experts worry will undermine hard-won gains in the field of message encryption.

The main focus of the DMA is a class of large tech companies termed “gatekeepers,” defined by the size of their audience or revenue and, by extension, the structural power they are able to wield against smaller competitors. Through the new regulations, the government is hoping to “break open” some of the services provided by such companies to allow smaller businesses to compete. That could mean letting users install third-party apps outside of the App Store, letting outside sellers rank higher in Amazon searches, or requiring messaging apps to send texts across multiple protocols.

But this could pose a real problem for services promising end-to-end encryption: the consensus among cryptographers is that it will be difficult, if not impossible, to maintain encryption between apps, with potentially enormous implications for users. Signal is small enough that it wouldn’t be affected by the DMA provisions, but WhatsApp — which uses the Signal protocol and is owned by Meta — certainly would be. The result could be that some, if not all, of WhatsApp’s end-to-end messaging encryption is weakened or removed, robbing a billion users of the protections of private messaging.

Given the need for precise implementation of cryptographic standards, experts say that there’s no simple fix that can reconcile security and interoperability for encrypted messaging services. Effectively, there would be no way to fuse together different forms of encryption across apps with different design features, said Steven Bellovin, an acclaimed internet security researcher and professor of computer science at Columbia University.

“Trying to reconcile two different cryptographic architectures simply can’t be done; one side or the other will have to make major changes,” Bellovin said. “A design that works only when both parties are online will look very different than one that works with stored messages …. How do you make those two systems interoperate?”

Making different messaging services compatible can lead to a lowest common denominator approach to design, Bellovin says, in which the unique features that made certain apps valuable to users are stripped back until a shared level of compatibility is reached. For example, if one app supports encrypted multi-party communication and another does not, maintaining communications between them would usually require that the encryption be dropped.

Alternatively, the DMA suggests another approach — equally unsatisfactory to privacy advocates — in which messages sent between two platforms with incompatible encryption schemes are decrypted and re-encrypted when passed between them, breaking the chain of “end-to-end” encryption and creating a point of vulnerability for interception by a bad actor.

Alec Muffett, an internet security expert and former Facebook engineer who recently helped Twitter launch an encrypted Tor service, told The Verge that it would be a mistake to think that Apple, Google, Facebook, and other tech companies were making identical and interchangeable products that could easily be combined.

“If you went into a McDonald’s and said, ‘In the interest of breaking corporate monopolies, I demand that you include a sushi platter from some other restaurant with my order,’ they would rightly just stare at you,” Muffett said. “What happens when the requested sushi arrives by courier at McDonald’s from the ostensibly requested sushi restaurant? Can and should McDonald’s serve that sushi to the customer? Was the courier legitimate? Was it prepared safely?”

Currently, every messaging service takes responsibility for its own security — and Muffett and others have argued that by demanding interoperability, users of one service are exposed to vulnerabilities that may have been introduced by another. In the end, overall security is only as strong as the weakest link.

Another point of concern raised by security experts is the problem of maintaining a coherent “namespace,” the set of identifiers that are used to designate different devices in any networked system. A basic principle of encryption is that messages are encoded in a way that is unique to a known cryptographic identity, so doing a good job of identity management is fundamental to maintaining security.

“How do you tell your phone who you want to talk to, and how does the phone find that person?” said Alex Stamos, director of the Stanford Internet Observatory and former chief security officer at Facebook. “There is no way to allow for end-to-end encryption without trusting every provider to handle the identity management… If the goal is for all of the messaging systems to treat each other’s users exactly the same, then this is a privacy and security nightmare.”

Not all security experts have responded so negatively to the DMA. Some of the objections shared previously by Muffett and Stamos have been addressed in a blog post from Matrix, a project geared around the development of an open-source, secure communications standard.

The post, written by Matrix co-founder Matthew Hodgson, acknowledges the challenges that come with mandated interoperability but argues that they are outweighed by benefits that will come from challenging the tech giants’ insistence on closed messaging ecosystems.

“In the past, gatekeepers dismissed the effort of [interoperability] as not being worthwhile,” Hodgson told The Verge. “After all, the default course of action is to build a walled garden, and having built one, the temptation is to try to trap as many users as possible.”

But with users generally happy to centralize trust and a social graph in one app, it’s unclear whether the top-down imposition of cross-platform messaging is mirrored by demand from below.

“iMessage already has interop: it’s called SMS, and users really dislike it,” said Alex Stamos. “And it has really bad security properties that aren’t explained by green bubbles.”

Repost: Original Source and Author Link

Categories
Security

Google makes important Workspace change to prevent phishing

Google has made an important change to how it displays comment notifications for Workspace apps, like Docs, to prevent phishing and protect users from malware. This change makes it safer for users to collaborate remotely without worrying about hacks and other types of malicious attacks, and the change is notable at a time when more people are working, learning, and collaborating from home during the global health pandemic.

With the new notification change, Google is now including the full email address of the collaborator in its notification when you receive an @mention, making it easier to safely identify your collaborator and trusted contacts.

In the past when a collaborator inserts an “@mention” note to Google Workspace apps, you would get an email in your inbox notifying you that someone has made a change to your document. The problem, however, is that the email notification only contains the commenter’s name and not their email address, making it easy for malicious attackers to target users pretending to be someone who you know and trust. Google’s change should make it easier for you to confirm your collaborator by being able to see the commenter’s email address.

“When someone mentions you in a comment in a Google Workspace document, we send you an email notification with the comment and the commenter’s name,” Google explained of the change. “With this update, we are adding the commenter’s email address to the email notification.”

Google is rolling out the feature now, and it could take up to 15 days for the update to show up for everyone. There are no additional steps users or IT administrators will need to take, according to Google’s Workspace support document. The feature will roll out to all Google accounts, including personal Google accounts as well as legacy G Suite and Business accounts.

“We hope that by providing this additional information, this will help you feel more confident that you’re receiving a legitimate notification rather than a spam or phishing attempt by a bad actor,” Google added.

As more companies begin to or continue to adopt hybrid and remote work environments, technology companies are also stepping up their efforts to help prevent malicious attacks. In addition to Google’s latest efforts to protect Workspace users, last year Microsoft released a new feature for its Teams collaboration platform that makes it more difficult for hackers to steal your personal data by sending look-alike web pages. Microsoft stated that phishing is responsible for nearly 70% of data breaches in its Digital Defense report, and recent changes made by tech companies like Google will ultimately help to keep users safe so as long as they remain vigilant and practice basic security hygiene when it comes to handling unknown links and emails from unknown senders.

Editors’ Choice




Repost: Original Source and Author Link

Categories
Security

How to use your phone as a two-factor authentication security key

If you want to verify your Google login and make it harder to access by anyone but yourself (always a good idea), one way is to use your iPhone or Android smartphone as a physical security key. While you can set up a third-party 2FA app such as Authy or even use Google’s own Authenticator, these require that you enter both your password and a code generated by the app. Google’s built-in security allows you to access your account by just hitting “Yes” or pressing your volume button after a pop-up appears on your phone. You can also use your phone as a secondary security key.

Use your phone to sign in

To set this up, your computer should be running a current version of Windows 10, iOS, macOS, or Chrome OS. Before you start, make sure that your phone is running Android 7 or later and that it has Bluetooth turned on.

  • While it’s unlikely you have an Android phone that doesn’t have a Google account associated with it, if you’re one of the few, you need to add a Google account to your phone by heading into Settings > Passwords & accounts, scroll down to and select Add account > Google
  • Once that’s done, open a Google Chrome browser on your computer
  • Head into myaccount.google.com/security on Chrome and click on Use your phone to sign in

  • Enter your account password. You’ll be asked to satisfy three steps: choose a phone (if you have more than one), make sure you have either Touch ID (for an iPhone) or a screen lock (for an Android), and add a recovery phone number.

You’ll be asked to satisfy three steps.

You’ll be asked to satisfy three steps.

You’ll then be run through a test of the system and invited to turn it on permanently.

Use your phone as a secondary security key

You can also use your phone as a secondary security key to ensure that it is indeed you who are signing into your account. In other words, to get into the account, it will be necessary to be carrying the correct phone with a Bluetooth connection.

  • If you don’t have two-step verification set up yet, go back to your account security page, click on 2-Step Verification and follow the instructions. The TL;DR is that you’ll need to log in, enter a phone number, and select what secondary methods of verification you’d like.
  • Scroll down the list of secondary methods and select Add security key.
  • And again, select Add security key.

You can choose your phone, a USB drive or an NFC key to act as a security key.

You can choose your phone, a USB drive or an NFC key to act as a security key.

  • You’ll be given the choice of adding your phone (or one of your phones, if you have more than one) or a physical USB or NFC key. Select your phone.
  • You’ll get a warning that you need to keep Bluetooth on and that you can only sign in using a supported browser (Google Chrome or Microsoft Edge).

That’s it! You’ve set up your phone as a security key and can now log in to Gmail, Google Cloud, and other Google services and use your phone as the primary or secondary method of verification.

When you sign in to your Google account, your phone will ask you to confirm the sign-in.

When you sign in to your Google account, your phone will ask you to confirm the sign-in.

Your phone will then confirm your ID with your computer using Bluetooth.

Your phone will then confirm your ID with your computer using Bluetooth.

Just make sure your phone is in close proximity to your computer whenever you’re trying to log in. Your computer will then tell you that your phone is displaying a prompt. Follow the directions to verify your login, and you’re all set!

Update March 29th, 2021, 11:20AM ET: This article was originally published on April 12th, 2019, and has been updated to account for changes in the Google interface.

Repost: Original Source and Author Link