The issue is that they have at least 3 workflows: the one for non-technical users, a more hidden way for people to set things up in a more specific way and then Advanced Protection Program for journalists, activists, etc. or other people with accounts that are high risk.
Conversation
This Tweet is from a suspended account. Learn more
Yeah, I get the complaint. I have similar complaints about nearly every site with 2FA. landing.google.com/advancedprotec avoids all the issues for Google though. You need to have at least 2 security keys and may want to have another one as an off-site backup but other than that is trivial.
1
This Tweet is from a suspended account. Learn more
Except w/ a soft-key, are most people smart enough to never use that account from that phone? i.e. if the phone gets popped, you don't have 2FA, it's single factor.
1
This Tweet is from a suspended account. Learn more
Yeah, that just changes an off-line attack (able to copy off the key material because it's not on the secure element) to an on-line attack, which w/ people's phones being on-line all the time, will last till it's detected/wiped.
1
This Tweet is from a suspended account. Learn more
This Tweet is from a suspended account. Learn more
It sounds like it's essentially the same thing as the security key feature in Play services for Android. Chrome uses the Play services implementation.
We need to make an open source implementation of at least the on-device subset of the feature for GrapheneOS / Vanadium.
2
1
Already familiar with the hardware keystore API since we heavily use the advanced capabilities to do hardware-based remote attestation for our Auditor app and attestation service:
attestation.app/about
Going to need to spend some time supporting new attestation features too.
