Phishing—when an attacker tries to trick you into turning over your online credentials—is the most common cause of security breaches. Preventing phishing attacks can be a major challenge for personal and business users alike. At Google, we automatically block the overwhelming majority of malicious sign-in attempts (even if an attacker has your username or password), but an additional layer of protection can be helpful.

Two-step verification (or 2SV) makes it even harder for attackers to gain access to your accounts by adding one more step to the sign-in process. While any form of 2SV, like SMS text message codes and push notifications, improves the security of your account, sophisticated attackers can skirt around them by targeting you with a fake sign-in page to steal your credentials.

We consider security keys based on FIDO standards, like our Titan Security Key, to be the strongest, most phishing-resistant method of 2SV on the market today. These physical security keys protect your account from phishers by requiring you to tap your key during suspicious or unrecognized sign-in attempts.

Now, you have one more option—and it’s already in your pocket. Starting today in beta, your phone can be your security key—it’s built into devices running Android 7.0+. This makes it easier and more convenient for you to unlock this powerful protection, without having to carry around additional security keys. Use it to protect your personal Google Account, as well as your Google Cloud Accounts at work. We also recommend it for people in our Advanced Protection Program—like journalists, activists, business leaders and political campaign teams who are most at risk of targeted online attacks.