I'm trying to figure out what exactly Google 2-Step Verification is, and whether to trust it or not. It doesn't appear to be a text, and provides a push notification to your device - it's super convenient, I just don't know if it's particularly strong.
Google 2-Step Verification is vulnerable to phishing just like TOTP is. You can go to a phishing site without realizing it's not Gmail, you enter your username and password, the phishing site gives those to Gmail on your behalf, the phishing site causes 2-Step Verification to happen, and Google sends a push notification to your phone for you to let the attacker into your account. (I believe Apple's default 2FA mentioned by GP works the same way.)
Security keys (and the newer project from Google to let your phone act as one over bluetooth) don't have this vulnerability because they connect right to your computer and talk to your browser (and not the attacker's) to verify the domain you're accessing.
How does the security key/browser pair communicate without involving the site? Does it involve more of Google's interference then? While I know you're not saying "yes" to the site, isn't the key doing roughly the same thing?
Right, with Google 2-step verification you don't have to worry about number porting attacks. It's just vulnerable in the sense that a phishing site you've entered your username and password into can still trigger the prompt.
>How does the security key/browser pair communicate without involving the site? Does it involve more of Google's interference then? While I know you're not saying "yes" to the site, isn't the key doing roughly the same thing?
When you use a hardware security key with a browser, your browser tells the security key the page's domain, a user id, and a random challenge token if I remember right. The security key signs a message containing all of these things and gives that back to the browser. If you're on a phishing site, the page will have a different domain than the true site, the message signed by the security key will have the phishing site's domain instead of the true site's domain, and the signed response generated by the security key won't be valid for the attacker to use on the true site.
