Are there any technical docs on how Google Prompt authentication works?
Someone once told me that on some phones it uses SMS to communicate and therefore it can be vulnerable to SIM porting attacks. I want to verify that isn't true.
Conversation
In general I'd really like to know the security trade offs between authenticator, Google Prompt, and a security key. Are security keys all around better? Seeing active login attempts via Google Prompt seems valuable to discover a compromised password.
3
1
You can see/get alerts about the login attempt if you use a security key. The attack surface of a phone is huge. Security keys don't have screens to check what you are authorizing.
3
1
Some security keys have screens. Trezor supports U2F and displays the request being authorized on the screen, i.e. U2F authentication for a specific site. It has an internal list of the fingerprints for common sites to display a name / icon for sites like Google and GitHub too.
1
Google supports using the hardware-based keystore in Android devices as a full U2F key including the button-based authorization, but there isn't generally a trusted display so there's only physical confirmation of a request with the OS generally trusted to display the request.
Setting this up is a different process from setting up the Google prompt and it's a way better choice to add the phone as a security key. It's best on devices with a high quality HSM-based keystore but even with the traditional TrustZone keystore it's way better than the prompt.
1
Even a software-based keystore implementation would be a bit better than the Google prompt approach but the hardware-based keystore has been mandatory for a few years so there's no need for that. The prompt is tied to active logins on devices rather than having an actual pairing.
1