You can now use your Android phone as a security dongle for two-factor authentication

If you own a Pixel 3, there's a small bonus, too.

Credit: Yubico

Google now has a new way of enabling two-factor authentication: using your phone as the near-equivalent of a physical security key.

You should already be familiar with two-factor authentication: Typically, you’ll secure a web-based application like Gmail by not only inputting a password, but also providing a second means of authentication, such as an SMS code sent to your phone, or a code provided by an authentication app such as those listed in the link above. 

There’s an alternative 2FA method that doesn’t receive as much attention: a physical hardware dongle, like a YubiKey, that authenticates by being physically inserted into your PC. Think of it as a car key: You own it, you have it, so you must be who you say you are. 

Google’s new use of an Android phone as a “hardware dongle” is almost, but not quite, the same. Instead of sending a notification to an app on your phone—which an attacker could access if you lost the phone and they knew your PIN code—the website or service tries to connect to your phone via Bluetooth. Google’s new 2FA method doesn’t require a dongle to be physically inserted into a PC, but since Bluetooth’s range is relatively short, the odds of an attacker accessing your unlocked phone while remaining physically near your PC are relatively low.

Otherwise, the way in which this two-factor authentication works should be familiar: You log in, the service sends a “Are you trying to sign in?” request to your phone, and then you confirm that yes, it’s you. Right now, Google’s new authentication is confined to its own services like Gmail and G Suite, and requires a phone running Android 7 or above. There’s no indication of this being tied to WebAuthn to enable 2FA on websites, though. 

Google’s security page details the steps that are required:

  1. Enable two-factor authentication, if you haven’t already, on the web service in question.
  2. On your Android phone, go to
  3. Under “Signing in to Google,” select 2-Step Verification
  4. Scroll down to “Set up an alternative second step.”
  5. Select Add Security Key and then Your Android phone and then Turn on.

There’s one bonus for users who own a Pixel 3: Instead of actually requiring you to unlock your phone, you can (optionally) just tap the volume-down button to confirm the authentication request. 

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Mark Hachman

Mark Hachman

PC World (US online)
Show Comments

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Cate Bacon

Aruba Instant On AP11D

The strength of the Aruba Instant On AP11D is that the design and feature set support the modern, flexible, and mobile way of working.

Dr Prabigya Shiwakoti

Aruba Instant On AP11D

Aruba backs the AP11D up with a two-year warranty and 24/7 phone support.

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers


This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang


It really doesn’t get more “gaming laptop” than this.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?