Security keys can stop sophisticated phishing attacks from compromising your accounts, but most will set you back between $20-$50 per key. It's a big reason why the technology hasn't been widely adopted, but Google wants to change that by letting your Android phone act as a security key.

On Wednesday, Google began making the option available to those with a smartphone running Android 7.0 and up. The built-in security key functions like a hardware-based one, except it's free.

With this system, when you enter your password on the PC, a notification will be sent to the handset. You'll be asked to confirm that you want to sign in. From there, the Android handset will sign an authentication request via Bluetooth to the PC, unlocking your account. For those who already use two-factor authentication when signing into their Google accounts on the PC, the process will be familiar. The difference is under the hood.

The extra layer of security is designed to ensure that only you can log in to your account. For now, the technology only works on Google and G Suite accounts. It also requires a PC that supports Bluetooth and the Chrome browser. But the goal is to bring the security technology to other browsers, including Firefox and Safari, and third-party websites. Here's how to set it up.

An Attempt to Kill Passwords

"We wanted to have this technology as widely available as possible," Google product manager Christiaan Brand told PCMag.

Google's solution uses the FIDO 2 standard, and works like a physical security key; your phone will store a cryptographic key, which can be used to sign authentication requests to unlock the designated online account.

What makes the solution resistant to phishing is that the security key will never transfer your cryptographic key over the internet. The technology will only sign off on an authentication request from the official account provider. So even look-alike phishing pages from the best hackers won't be able to fool the security key.

Why Google chose Android 7.0 and up is because the operating system versions require the use of what's called a Trusted Execution Environment (TEE), an isolated area of the phone's processor. Through the TEE, a phone can store and process your most confidential information, such as the encrypted fingerprint data—all without it ever leaving the device.

In most cases, Google's built-in security key will leverage the TEE to store the cryptographic key information, Brand said. The company's Pixel 3 devices, on the other hand, will store the cryptographic keys inside Google's custom Titan security chip, which is also separate from the phone's main processor.

For now you can only use one Android phone to act as your physical security key; if you get a new phone, you log out of the old one and set it up on the new device.

Should You Trust Google?

Some might be skeptical about Google's latest security solution. After all, the company's Android OS hasn't been free of malware threats or dangerous software exploits. But Google product managers told PCMag that compromising their built-in security key solution would likely require getting physical access to your phone. If that happens, you're in trouble anyways.

"The point here is that the phishing problem is stopped," Brand said. "Yes, the secondary problem might be, 'Okay, now I have an attacker who plugs in a cable and has zero-day exploit for Android 7, where they can get the phone's files off the flash drive. That might be a problem. But that's definitely far, far secondary to the primary issue."

Too many people continue to protect their accounts with only passwords, added Google product management director Sam Srinivas. "The real threat is someone sitting 3,000 miles away, who sends you a fake login page. And that is what we are really protecting against: A remote attack. That's really the clear and present danger," he said.

Unfortunately, many other websites, like those from banks, still don't offer security key protection. Others are only offering two-factor authentication systems that generate the one-time passcode over SMS, which can also be insecure in some cases. But Srinivas said he's hoping Google's built-in security key solution eventually becomes a standard across the industry.

Why Should I Use a Security Key?

The solution represents a big upgrade over existing two-factor authentication (2FA) systems, which Google and many top internet companies already offer. 2FA usually works by requiring you to enter a password and a special one-time passcode, which can be generated over your smartphone usually via SMS text or an app. So in the event your password is ever guessed or stolen, the hacker still can't break in.

Unfortunately, 2FA isn't perfect. Hackers have shown they can trick victims into handing over the one-time passcodes via official-looking phishing emails.

Enter the security key. It works like two-factor authentication, but swaps out the one-time passcode for a physical device an attacker would have to physically steal to access your account. Companies including Google, Facebook, Twitter, and Dropbox all offer security key protection with their accounts.

Google liked the solution so much that in 2017 it decided to give security keys to all employees. Since then, it's encountered no confirmed takeovers of work-related accounts. Last year, Google also began selling its own "Titan" security key product for $50.

But despite Titan, Google's business customers have been asking for a way to bring security key technology to more of their own employees. In response, the company looked to the smartphone, the one device most people carry with them at all times.

To fully protect your Google account exclusively with the built-in security key, you'll need to go into the security settings and remove any other two-factor authentication steps (such as SMS one-time passcodes, Google Prompts) you've enabled for your account. But the trade off is Google's built-in security key currently only works for Windows 10, macOS and Chrome OS devices with Bluetooth functionality.