> And, unlike passwords, passkeys are resistant to online attacks like phishing, making them more secure than things like SMS one-time codes.
It's a bit disappointing seeing them re-affirm SMS as a a more vulnerable form for 2FA when Google's stance has been to try and force a phone requirement on Google accounts that lack them in order to login—and then using the phone for SMS 2FA.
In the past number of years only after a phone is attached do other 2FA methods like TOTP become accessible as options.
However even when a phone is added Google continues to utilize SMS 2FA over them for what are deemed important actions like Takeaway or auth keys, in my experience.
This is despite known issues like SIM swapping, lock screen messages (viewable by anyone with device access) and due to the prevailing use of SMS for 2FA users have been prepped to accept security codes via messages which is arguably more exploitable than app-based TOTP in scams where fraudulent messages are known to be used alongside calls to mislead users into gaining trust then subsequently requesting a real 2FA message[1].
> In the past number of years only after a phone is attached do other 2FA methods like TOTP become accessible as options.
I do always see these comments on HN and I think "Huh, really?" and I go check and, nope, Google doesn't have my phone number, but they do know I have security keys, so that's all working as intended.
I don’t have my phone number “registered” with Google. IE it does not appear in my account.
A few years back I was logging into a new machine from a known network. I provided the correct username, password, and TOTP on the first try. Google then forced me to authenticate further by providing my phone number _in the sign in flow_ to receive an SMS. This is pure theatre as I could have provided any number. No security was gained. Google does, however, now have my number. Even if it isn’t displayed on my account.
It's a bit disappointing seeing them re-affirm SMS as a a more vulnerable form for 2FA when Google's stance has been to try and force a phone requirement on Google accounts that lack them in order to login—and then using the phone for SMS 2FA.
In the past number of years only after a phone is attached do other 2FA methods like TOTP become accessible as options.
However even when a phone is added Google continues to utilize SMS 2FA over them for what are deemed important actions like Takeaway or auth keys, in my experience.
This is despite known issues like SIM swapping, lock screen messages (viewable by anyone with device access) and due to the prevailing use of SMS for 2FA users have been prepped to accept security codes via messages which is arguably more exploitable than app-based TOTP in scams where fraudulent messages are known to be used alongside calls to mislead users into gaining trust then subsequently requesting a real 2FA message[1].
[1] https://robertheaton.com/almost-scammed/