Conversation

This Tweet is from a suspended account. Learn more

Replying to

and

For Advanced Protection, the initial 2 security keys need to be physical standalone keys. Once you've set it up, you can add phones with hardware keystores as additional security keys. It's based around not wanting people to get very easily locked out of their accounts.

This Tweet is from a suspended account. Learn more

This Tweet was deleted by the Tweet author. Learn more

This Tweet is from a suspended account. Learn more

Replying to

and

Yeah, it uses the phone's HSM as a proper security key including physical confirmation being required to authorize it being used. It's a real mess without Advanced Protection because there are so many 2FA methods including using phones as software 2FA rather than hardware 2FA.

This Tweet is from a suspended account. Learn more

Replying to

and

On Android, it uses developer.android.com/training/artic when available which is the Titan M for Pixels of the Qualcomm SPU for devices like modern flagship Samsung phones. For older, non-Pixel phones, they use the traditional TEE-based hardware keystore. Both have physical confirmation.

developer.android.com

Android keystore system | Android Developers

Replying to

and

And yeah, for iPhones, it uses their SEP as the secure element, which is comparable to StrongBox via Titan M or Qualcomm SPU.

Replying to

and

As far as I know, a lot of new Android phones don't have a proper HSM but the feature is still almost universally supported due to working with the traditional TEE keystore. TEE keystore generally uses fingerprint sensor for physical confirmation. Titan M can use power button.

9:52 PM · Mar 26, 2021Twitter Web App