
Login to Google with only your phone - msoad
https://docs.google.com/document/d/1-fyf-a1S9MkTp5-whuDUnltqIsh1q6OuOf2dSFfojxs/preview
======
pliu
This is neat, but I feel a bit conflicted about it. Authenticate to phone,
phone authenticates to website.

Certainly less laborious than entering a password, then authenticating to your
phone so you can copy a token code. But I feel like my login would then become
simultaneously more and less secure.

More secure from remote attackers who would have to spend a lot of effort to
get at my phone, but like waaaayyyy more vulnerable to local attackers who
could super easily get at my phone. Breaking the screenlock on my phone is
surely easier than breaking a complex password.

I'm definitely an edge case in that I have a very high level of security for
my personal stuff, but I've always modelled my security strategy on the fact
that anyone can easily wack me on head and jack all my shit. You could put
password auth on your phone, but from a UX perspective this is awful. I'd
rather just have no phone.

So, conflicted. This feature sounds great, but feels less good than "normal"
MFA. Maybe I'm being crazy and it's all just fine. I accept than my credit
card number will somehow become compromised in the future, maybe we all just
have to accept a little identity theft in our lives too.

