Google Prompt vs Google Authenticator: what is more secure?

Discussion in 'mobile device security' started by jsmith65, Feb 3, 2018.

  1. jsmith65

    jsmith65 Registered Member

    Joined:
    Jun 21, 2017
    Posts:
    10
    Location:
    USA
    What's more secure: Google Prompt or Google Authenticator?

    Considering increasing risks of SIM swap and phone number porting scams, would Google Authenticator be safer? Does Google Prompt fail in sim swap scenario?

    Thanks!
     
  2. ClaytonThomas

    ClaytonThomas Registered Member

    Joined:
    Feb 4, 2018
    Posts:
    18
    Location:
    Sofia, Bulgaria
    None. If you want to use 2FA for Google account then write the backup codes on paper. Other than that, I prefer open source 2FA app, FreeOTP and OTP Authenticator from Bruno Bierbaumer.
     
  3. jsmith65

    jsmith65 Registered Member

    Joined:
    Jun 21, 2017
    Posts:
    10
    Location:
    USA
    Multiple articles talk about hijacked phone numbers, either because they are being ported away from the user or with a SIM swap attack. These articles tout Google Authenticator and other more secure alternatives to get around this issue. Unfortunately, I do not believe you get any extra security! After settings up Google Authenticator for my account, and making sure my phone number is NOT listed as one of the 2-FA options, I went to re-login... As expected, Google asked for my Authenticator code, BUT it also has a "More Options" link there and it allowed me to login using SMS to my phone?!

    So, if someone steals my phone number, they would not care that I use Google Authenticator or even a hardware key I imagine - they can always click on More Options and use the stolen phone number to steal my gmail account too.

    So, does Google Authenticator really provide any more security over SMS when it comes to the second factor?!
     
  4. 142395

    142395 Guest

    You're confusing some things.
    First, why Google Authenticator (or other app) is securer than SMS? It's because SMS are sent through mobile network which can be tapped via MITM. But in case of GA, chance of MITM is only once, it is when you get its key or QR code. So make sure it is delivered through https page and preferably check TLS certificate and domain of the page. Now as long as you use GA, there's no risk of MITM ([EDIT: login to your account itself still can be MITMed, in that case 2FA code can be stolen]). Ofc, it's far from bullet proof, not only against mobile theft. A mobile malware might capture 2FA code, or desktop malware who injected code to browser might be waiting you to input the code, not to mention social engineering or phishing. This is why you should use FIDO U2F security key which is the most secure 2FA option.

    Second, Google basically requires at least 2 methods to login when you enabled 2FA. So even if it's not displayed in 2FA option, if your only method is GA (not sure if backup code can be counted as login method...maybe not), then another method is SMS (or prompt) and you can only remove phone number after you added 3rd+ method. In my case, I never register my real phone number to Google. Before I activate 2FA, I get IP phone number temporary and use it for 2FA. Then add U2F key + GA as 2FA option, delete phone number from Google, then dispose that phone number from any use. IIRC, there're some places to register phone number in Google setting, so if you want to completely remove phone number, you may need to dig through settings.
     
    Last edited by a moderator: Feb 5, 2018
  5. jsmith65

    jsmith65 Registered Member

    Joined:
    Jun 21, 2017
    Posts:
    10
    Location:
    USA
    Thanks 142395,

    I think the MITM benefit is relatively unikely: if it's malware on your computer, then SMS has the same downside as GA - malware can use the code entered by either one and use it the same way. So, only way GA would be better than SMS for MITM scenario is something running outside of your computer, but then it would have to know your password and apply this in real time with when I happen to be logging in to the gmail.

    I think much larger issue is the attack where someone hijacks your phone number and then breaks into your account using SMS. Most articles say it's more secure specifically against such attacks (phone number porting and sim swaps). So, I was trying to have a setup where this would not be possible. However, it turns out for phone number hijacking / sim swapping, Google Authenticator is no better than SMS since Google insists on providing an option to see provide second factor via SMS.

    Now, I DO think backup code count as another 2nd factor (it's also under More Options) and I have that setup too. In other words, the "More Options" has 3 allowed ways for 2nd factor: GA, Backup Codes and the SMS, even though I want only the first two.

    I could not find any place to remove my phone number. I even visited the https://myaccount.google.com/phone page (not just the sign-in settings page) and it is not there; yet Google still remembers it and offers it under More Options. I was able to login with my phone number as second factor even though it's NOT set under any options.
    Seperately, I tried the recovery process and I was asked to confirm using that phone number. Again, I had removed my phone number as an option for recovery prior to attempting the "forgot password" link.

    So I guess if I used a temporary phone which later gets deleted, that might be a good solution!! I did not know about temp IP phone numbers - how do you get those easily and then how do you dispose of them securely?

    I think U2F key for gmail requires using Chrome, which I don't like. Or am I wrong on this one? I imagine someone would use either U2F key OR Authenticator, but not both... ?
     
  6. 142395

    142395 Guest

    @jsmith65
    Sorry, I had to be more clear about MITM. I edited earlier post but yes, if your traffic to login page is MITMed then GA won't help. But if someone only MITMed mobile network and not your login page (protected by https), there's difference. There're mobile network in the world that are not very secure, so in that case Google prompt will be better, and GA is intact in this case.

    It seems Google don't count backup code as a method, thanks for testing. I think once you added U2F key, you can delete phone number (at least I could). Needless to say, Google can't send SMS when there's no phone number registered.

    Re: IP phone number:
    Sorry, I use my mobile career's VoIP service so it won't be applicable to you. You can check if your career offer such service, but there're other public VoIP services around there, so search about them and find most reasonable one for you.

    Yes, so far U2F for Gmail only works on Chrome (or Android) or its folks. :(
     
  7. jsmith65

    jsmith65 Registered Member

    Joined:
    Jun 21, 2017
    Posts:
    10
    Location:
    USA

    Thanks 142395, just to clarify...

    Main point:

    My phone number also appears to be deleted. It does not show up anywhere on Google settings pages. Yet Google internally remembers it (this is a phone number you MUST have used to first setup SOME 2-FA option) and they also use it. So the main issue is that they are still using it for the second factor, even if you had tried to remove it from all settings. I realize you cannot test this with a temporary phone you threw away (which is what makes your suggestion of temp phone so interesting!); but if you like, you can setup a quick test gmail account with some phone number you have access to, and then add your other 2nd factor(s), remove your phone and try to login. When asking for 2nd factor, you will find your phone you had presumably removed under the "More Options" menu and you will still be able to login!

    Minor points:

    - I believe backup codes ARE counted as 2nd factor authentication. (You said that I confirmed that they are not, but I see them among More options, so I assume they ARE counted).

    - MITM that listens on mobile network does not sound like a big threat because that software would have to know your password *and* apply it in real time just when I happen to be logging in to the gmail (i.e. while that SMS code is still valid). So, while it's possible in theory, unless you are a known high-value target, I don't see how it would be applicable to 99.9% of people... Am I missing something?
     
  8. 142395

    142395 Guest

    You're right! I was shocked to see my deleted phone # was shown as another method. I was so shocked that I tested around with new test Google accounts, and found a way to avoid that, but only for new account which you haven't associated any phone #. i.e. if you used Google prompt rather than SMS, your phone # won't be displayed as another method.
    [EDIT] You need to create that Google account on Android. If you care privacy, you can use prepaid SIM and secondhand Android phone (or create new user on your phone if you're not that paranoid).
    [EDIT2]: If Google detected sign of spam, or they think you're creating more than 1 account, they'll require your phone #. To avoid this, change your IP w/out using VPN (shut down your router, wait 10s or so, then restart) and separate any of your old Google account from new IP.

    As long as MITM concerned, the risk won't be high. But it seems malicious guy don't think that real time is barrier. Tho it's not MITM, mobile malware who steel SMS code and abuse it within 60s is reported. Same goes for phishing and desktop financial malware IIRC. So 60s interval is not enough to stop malicious ppl. But once your device is infected, there's not much diff btwn these 2 methods as you said. Although I'm not aware of real example, taking screen shot of GA will be possible.
     
    Last edited by a moderator: Feb 8, 2018
  9. jsmith65

    jsmith65 Registered Member

    Joined:
    Jun 21, 2017
    Posts:
    10
    Location:
    USA
    Thanks, I did not get to test this (life gets in the way...) but I was hoping your earlier suggestion would work as the workaround: create GVoice #1; then create "real" GVoice #, using GVoice #1 and then delete GVoice #1. Or use a landline / magicjack / other voip instead of GVoice #1. Even though the "junk" phone would be displayed, it has no value since it's either deleted or can't get SMS at all...

    Appreciate the tip about new IP - did not know Google would be on me about this...
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.