Instead of buying a dedicated security key, all owners of recent iPhones can use their handset as a physical key for logging into Google services on another device.
Physical security keys, which we wrote about at the end of 2019, are a form of two factor authentication (2FA) but are generally considered to be more secure than entering a six-digit code sent to you phone via a text message, as those can be intercepted by hackers.
Android smartphones could already be used as physical security keys, and now an update to Google's Smart Lock app for iOS means all recent iPhones can be used too. We say "recent" iPhones, as the security system works in conjunction with the iPhone's secure enclave, where it stores data related to Touch ID or Face ID.
Therefore, iPhones with Touch ID or Face ID (that's the iPhone 5S onwards) can all be used as physical security keys for logging into Google services. The app also requires your iPhone to be running iOS 10 or later, and for now it only works when logging into a Google service using the company's Chrome web browser.
Once set up, the next time you try to log into a first-party Google service (like Gmail) using the Chrome web browser on a laptop, for example, a notification will be sent to your iPhone. As long as the iPhone is within Bluetooth range of the laptop, or whatever device you are trying to log into Google on, then tapping the notification will authenticate you and let you log in.
Google also sells a physical security key called the TitanGoogle
In this instance, not only do you need to know the account username and password, but you also need access to the iPhone running the Smart Lock app attached to the Google account, and you need unlock that iPhone, likely via Touch ID or Face ID, to respond to the notification. Unless a hacker knew your username and password, and had access to your unlocked iPhone, they cannot log into the Google account.
Using a physical security key like this is safer than relying on codes sent via text message, as it requires you to have physical access to the key or phone. Text messages containing verification codes can be remotely intercepted and read by hackers.
Therefore, using a physical security key - either a dedicated key or a smartphone - is a good step towards bolstering your digital security. The only downside here is the lack of biometric security in the Smart Lock app itself.
If a hacker were to take your phone while it is unlocked, then log into the Google service with your credentials and respond to the notification on the unlocked phone, then they would gain access to the account. That said, it is still a safer approach than relying on a text code, or not using 2FA at all.