Conversation

This Tweet is from a suspended account. Learn more

Replying to

and

Just be aware the Advanced Protection Program is a lot more than only being able to login via security keys. It also prevents granting arbitrary apps access to account data and you don't have the option of using app passwords for legacy apps without modern auth workflow, etc.

This Tweet is from a suspended account. Learn more

Replying to

and

I'm suggesting using it for further security beyond simply using 2FA. You can set up 2FA without SMS without Advanced Protection. Advanced Protection is largely about getting rid of the customer support backdoors and eliminating other ways around proper authentication like that.

This Tweet is from a suspended account. Learn more

Replying to

and

That's the workflow they have for non-technical people aimed at minimizing the amount of people recovering accounts via customer support. I'm fairly sure you can enable non-SMS 2FA without that even without Advanced Protection. I don't think I ever had SMS recovery/2FA enabled.

Replying to

and

The issue is that they have at least 3 workflows: the one for non-technical users, a more hidden way for people to set things up in a more specific way and then Advanced Protection Program for journalists, activists, etc. or other people with accounts that are high risk.

This Tweet is from a suspended account. Learn more

Replying to

and

Yeah, I get the complaint. I have similar complaints about nearly every site with 2FA. landing.google.com/advancedprotec avoids all the issues for Google though. You need to have at least 2 security keys and may want to have another one as an off-site backup but other than that is trivial.

landing.google.com

Google Advanced Protection Program

The strongest account security made to protect the personal data and information of people most at risk of phishing, hacking and targeted digital attacks.

This Tweet is from a suspended account. Learn more

Replying to

and

For Advanced Protection, the initial 2 security keys need to be physical standalone keys. Once you've set it up, you can add phones with hardware keystores as additional security keys. It's based around not wanting people to get very easily locked out of their accounts.

9:23 PM · Mar 26, 2021Twitter Web App

Retweet

Likes

This Tweet is from a suspended account. Learn more

Replying to

and

Advanced Protection only allows hardware keys. Android devices can be used as actual hardware keys if they have a proper hardware keystore. If you don't use Advanced Protection, a phone can be used for software 2FA via a prompt. It's different from adding it as a security key.