Frank Slootweg <
this@ddress.is.invalid> wrote:
AJL <noemail@none.com> wrote:
[...]
When I fire up a NEW Android device and sign into my Google accounts for
the first time, after I put in my user name and password it sends a
white screen to my other Android devices on which I pick one and push a
"Yes it's me" button for verification and the new device is then signed on.
I always thought that Google Authenticator was responsible but after my
last post I looked at it and don't see any indication that it is or is
not responsible for this verification. Perhaps one of the more technical
folks here can explain how this (non-SMS) verification process works...
The 2SV mechanism you're using is called 'Google prompt', i.e. you get
a prompt on your device(s).
See the '2-Step Verification' section of your Google account [1].
There you will see 'Google prompt' as one of the options in 'Second
steps'. It will list the number of devices which can get the prompt and
('>') which devices (in my case my phone and a tablet).
[1] <https://myaccount.google.com/signinoptions/twosv>
List of your 'Google prompt' devices:
<https://myaccount.google.com/two-step-verification/prompt>
I don't have 2FV enabled. Deliberately left it disabled.
What on the phone presents the prompt? A service, and auth app, what?
How does the prompt get to the phone? What communications venue?
Google claims their scheme is more secure than SMS texts, but no mention
regarding delivery mechanism, or display mechanism.
When text gets replaced with a QR code, then what? While they are
currently SMS texts showing a string, I can transcribe them into some
input dialog awaiting that string. I don't read QR. When some prompt
by some undescribed delivery mechanism gets delivered to my phone and
display by some undescribed process that is apparently always running on
my phone, how do I decode the QR image to then transcribe its content
(the text string) to some input dialog?
https://support.google.com/accounts/answer/7026266No info there on HOW it works other than the phone must be signed into a
Google account (and where Google Prompt is enabled for selected phones).
You said "So it's *not* about authenticating a Google account login,
*nor* a Gmail 'login', but about verifying the *phone number*, which is
associated with your Google Account." Yet the above article is about
getting the "Prompt" when signing in. "You can use Google prompts to
sign in: ..."
https://guidebooks.google.com/online-security/understand-online-security/sign-in-challenges?hl=enStill missing the basics of how delivered, what displays the prompt, and
how the user is going to decode a QR image (when Google switches) to
then enter its encoded string into a waiting input dialog.
At most, it appears from some online hits, including Youtube searches,
that Google Prompts rely on using the Google App (which, for me, is the
search bar aka Google Assistant shown on the home screen). Under
settings -> General -> Apps, "Google" can be disabled. While it cannot
be easily disabled, I'm sure someone can remark how to remove it. Some
users don't want it, and prefer their choice of search engine in their
choice of web browser. Will disabling the "Google" app also disable
Google Prompts? Again, the inquiry comes back to how the Prompt gets
delivered, and what is used to display it.
https://youtu.be/p5EuBBAbfPY?t=12That says "When signing in using the Google prompt, the Google app on
your phone will ask if you are trying to sign in." Okay, so through
what communications venue does the Prompt get delivered? Looks like the
Google App gets used to display the Prompt provided it has not been
disabled (or removed). For iOS users (assuming they bother with Gmail
services where they have to login), they have to install the Google App
on their iPhones.
https://youtu.be/p5EuBBAbfPY?t=37That shows you signing into your Google account. After entering your
username and password, and if 2FV is enabled, you get prompted for
two-step verification. From some Prompt, you transcribe the numeric
string into the waiting input field. When the Prompt changes to a QR
image, just how are users to decode it into a string to enter into the
waiting input field?
Doesn't anyone know just how notifications are sent to the phone (i.e. ,
what communications protocols are used)? Or is that the alchemy of
Android that users aren't supposed to know? I suspect no one will know
how the user is going to decode the QR image into a text string to input
the numbers into a waiting input field until Google decides just how
they are going to implement the switch from text strings via SMS (or
text strings via Google Prompt) to dropping a QR image on the user's
phone (which is still unclear if SMS or Google Prompt is used).
https://www.phonearena.com/news/google-adds-extra-security-to-account-login-with-enhanced-2fa-prompt_id167200https://9to5google.com/2025/01/31/google-prompt-2fa-fingerprint/Those mention Google Play Services is involved, yet iPhone users are
told to just install the Google App. The enhancements come to Android's
[Google] Play Services in version 25 Although iPhone users are told to
install the Google App to make use of all this security theater, maybe
iPhone users even after installing the Google App won't be getting the
enhance features of Google Prompts unless Google rolls them into a new
Google App for both platforms.
Will there be a minimum Android version for Google Prompts, and however
the received QR image gets inputted to some waiting dialog? Seems an
Android-only thing with an iOS workaround; however, just because I have
an Android phone doesn't mean I must let Google control it, or use
anything of Google on it. What do de-Googled users do?
From searching their help, and having forum posts show up in results,
users often remark that Google Prompt is insecure. Alas, they don't
detail just what is insecure, or what are the vulnerabilities. Maybe
it's about this:
https://www.forbes.com/sites/daveywinder/2025/01/04/gmail-security-threat-confirmed-google-wont-fix-it-heres-why/
Google will no longer send SMSs with six digit codes for verification
Re: Google will no longer send SMSs with six digit codes for verification
