9to5Google:

Last year, Google announced that all Android 7+ devices can be used as two-factor authentication when signing into Gmail, Drive, and other first-party services. Most modern iPhones can now be used as a built-in phone security key for Google apps.

And:

A built-in phone security key differs from the Google Prompt, though both essentially share the same UI. The latter push-based approach is found in the Google Search app and Gmail, while today’s announcement is more akin to a physical USB-C/Lightning key in terms of being resistant to phishing attempts and verifying who you are. Your phone security key needs to be physically near (within Bluetooth range) the device that wants to log-in. The login prompt is not just being sent over an internet connection.

Feels like a step in the right direction, a tool to help stop SIM-swapping. Ultimately, I’d love all my log-in services to offer a setting that limited logins to Face ID only, with Face ID required to change that setting as well.