top | item 33100255

(no title)

tgma | 3 years ago

> Secondary opinion, why is the Google app lacking? Because they really don't want people to use it. They much prefer you reveal your phone number and use SMS instead. This way they can easily identify you personally.

Sure, companies may do some evil things intentionally, but an app UI sucking is usually the default state of things and not some malice necessarily. In this case, I think part of the neglect of Google Authenticator is them trying for years to pivot to other forms of two-factor authentication that are more phishing-resistant than an OTP (Yubikey-like and smartphone based systems).

discuss

jqpabc123|3 years ago

trying for years to pivot to other forms of two-factor authentication that are more phishing-resistant than an OTP

Yes, that probably explains why they prefer OTP over SMS --- because it is more secure --- and it totally violates your privacy.

sand500|3 years ago

SMS 2FA is not secure. Lots of HN posts about it:

https://hn.algolia.com/?q=sms+2fa

UncleMeat|3 years ago

SMS 2FA is basically the same as TOTP against phishing. It is worse in that you can be hit with sim-swapping. Phishing is many orders of magnitude more common than sim-swapping. There is a real difference between these two options, but it is wildly overemphasized online. The gap between SMS/TOTP and a Yubikey or equivalent is way larger.

mehrdada|3 years ago

I was not suggesting SMS 2FA when I referred to "Smartphone-based solution". I meant relying on Secure Enclave or alike on the smartphone as the second factor in a challenge-response fashion that makes the "OTP" bound to a specific domain and thus unphishable.

2muchcoffeeman|3 years ago

Unfortunately it’s still better than no other factor especially for most people.