Conversation

This Tweet is from a suspended account. Learn more

Replying to

and

Yeah, I get the complaint. I have similar complaints about nearly every site with 2FA. landing.google.com/advancedprotec avoids all the issues for Google though. You need to have at least 2 security keys and may want to have another one as an off-site backup but other than that is trivial.

landing.google.com

Google Advanced Protection Program

The strongest account security made to protect the personal data and information of people most at risk of phishing, hacking and targeted digital attacks.

This Tweet is from a suspended account. Learn more

Replying to

and

For Advanced Protection, the initial 2 security keys need to be physical standalone keys. Once you've set it up, you can add phones with hardware keystores as additional security keys. It's based around not wanting people to get very easily locked out of their accounts.

This Tweet is from a suspended account. Learn more

This Tweet was deleted by the Tweet author. Learn more

This Tweet is from a suspended account. Learn more

Replying to

and

Yeah, it uses the phone's HSM as a proper security key including physical confirmation being required to authorize it being used. It's a real mess without Advanced Protection because there are so many 2FA methods including using phones as software 2FA rather than hardware 2FA.

This Tweet is from a suspended account. Learn more

Replying to

and

On Android, it uses developer.android.com/training/artic when available which is the Titan M for Pixels of the Qualcomm SPU for devices like modern flagship Samsung phones. For older, non-Pixel phones, they use the traditional TEE-based hardware keystore. Both have physical confirmation.

developer.android.com

Android keystore system | Android Developers

9:44 PM · Mar 26, 2021Twitter Web App

Replying to

and

And yeah, for iPhones, it uses their SEP as the secure element, which is comparable to StrongBox via Titan M or Qualcomm SPU.

Replying to

and

As far as I know, a lot of new Android phones don't have a proper HSM but the feature is still almost universally supported due to working with the traditional TEE keystore. TEE keystore generally uses fingerprint sensor for physical confirmation. Titan M can use power button.