Are there any technical docs on how Google Prompt authentication works?
Someone once told me that on some phones it uses SMS to communicate and therefore it can be vulnerable to SIM porting attacks. I want to verify that isn't true.
Conversation
In general I'd really like to know the security trade offs between authenticator, Google Prompt, and a security key. Are security keys all around better? Seeing active login attempts via Google Prompt seems valuable to discover a compromised password.
3
1
Security keys are better, but you don't need a separate security key. They support using the hardware-based keystore as a security key. It uses StrongBox when available, i.e. a dedicated HSM like the Titan M chip on the Pixel 3 / 3a. If not, it uses the TrustZone-based keystore.