[samdk]

Thanks for writing this!

One nitpick: the guide says "If you're curious why it's important to not have a phone number on your account, see the security key FAQ", but the linked security FAQ doesn't actually appear to say why it's important.

[idlewords]

Sorry about that, I'm updating that FAQ next.

The answer is that SMS is not a secure second factor (it's easy to hijack and eavesdrop on), and in some cases when you give a service a phone number, it becomes possible to take over the account with just control of the phone number.

[avenoir]

There was an article floating around on HN a while ago about someone basically stating that an attacker was able to call their cellphone provider and use social engineering tactics to transfer their account to their own number. Ultimately circumventing second factor auth via SMS and gaining access to their Google account. I believe it was from an actual Google employee. So they were able to recover the account quickly.

[cyphar]

And some services that do phone calls can be tricked to save to voicemail (which was the case for Google, Facebook and various others previously): https://shubs.io/how-i-bypassed-2-factor-authentication-on-g...

[joshgel]

Google now offers "Google prompt" which sends a push notification to your phone through the google app. How secure is this method?

[idlewords]

Much better than SMS, but not as good as a security key, because if you can fool someone into logging in to an impostor site, you can get their email account.

It would be a reasonable backup in place of (or in addition to) Google Authenticator.

[mmahemoff]

Which is why password+SMS is sometimes called "1.5 factor auth"

[noxToken]

Because it can be a way to compromise your account[0]. HN discussion[1]:

[0]: https://blog.coinbase.com/on-phone-numbers-and-identity-423d...

[1]: https://news.ycombinator.com/item?id=12597609

[wfunction]

> We were also able to get in contact with an outstanding Verizon employee who understood the urgency and impact of our situation and shepherded our case through the byzantine halls of inter-carrier communications. We had control of the phone number back by 2 PM (which, if you’ve ever tried to get two phone companies to talk to each other, is a significant achievement. We were initially assuming we wouldn’t be able to regain control until the following week).

How in the world is a random guy supposed to do this sort of thing? Anyone have any tips for people who get into these situations and who aren't already BFFs with C-level executives of phone companies or something like that?

[lrvick]

I have answers/arguments along those lines here: https://github.com/lrvick/security-token-docs/blob/master/FA...

Would be interested in seeing contrasting views though!

[tptacek]

These are indeed answers, but they aren't the real answers.

The real answer for "why not a smartphone app" is "because code generators are just as phishable as passwords". In the real world, that's how people are being compromised, not by elaborate phone exploit pivots but by phishing pages. It also speaks to why phone authenticators are acceptable backups to tokens.

The real answer for "why not SMS" is "because both teenagers and intelligence services can get a phone number redirected; your phone number is not your phone."

Obviously, you don't PIN-lock a U2F token; the answer to "what if it's stolen" is "whoever stole it probably doesn't have your password, which they'll need in order to use the token, so if your token is stolen remove it from your account and then fish $17.99 out of your couch cushions and buy a new one".

[lrvick]

Code generators are super phishable and that is the whole reason to abandon them in the medium term. In the short term however they are all we have for most websites so protecting the secret in a hardwre token is as good as we can get.

No matter how much you protect the secret though, not getting phished is left to the hopefully paranoid user, which is for sure not ideal, but we are probably years out from TOTP being replaced with U2F for most sites.

TOTP via hardware tokens is a stopgap.

Great comments though. Will update to reflect them.

[tptacek]

Code generators are indeed phishable, which is why your primary login factor is a U2F token. Meanwhile, because of the way phishing works, if you go log in of your own volition to your Google Mail account, the TOTP code provides about as much security as the U2F key does.

The idea behind the U2F/TOTP stack is to minimize your exposure to phishing attacks and at the same time minimize (to practically zero) the odds of you being locked out of your account. It accomplishes that nicely, which is why most of the other experts we talk to have U2F/TOTP/backup-codes as their Google 2FA stack.