When you use a device to do 2FA, Google will display one code on the logging in device screen and three on the 2FA screen. This is so that the user doesn't just blindly hit accept on the Gmail/YouTube app that hosts the 2FA prompt.
A one in three risk of hitting the wrong button still seems insanely high to me. Why is this 2FA method deployed instead of things like "enter the code here"?
(I know it wouldn't necessarily have stopped this phishing attempt.)
It should be much less than one in three, because the user doesn't get conditioned to "just tap one of the numbers and it goes away". The way to consistently dismiss the interruption is to tap the fourth button labelled something like "what, no, that wasn't me".
Yeah, good point. But I still think it's too much risk to place on a potential errant click.
(I have to admit I haven't used the UI in question, and I can't find a screenshot of it on Google Images. Maybe this is a lot safer than I'm imagining.)
I had it just today, it's slightly worse than I was remembering! The "Cancel" button is way less prominent.
Still, remember this is MFA - at least I'm pretty sure you can't have this as the only way to access your account. An attacker typically needs your password plus you to misclick here.
Unclear why. You have to hit a prompt that says "Yes, this was me" and then pick a button. The approach airplay takes to pair: type in 6 digit code. That seems better to me.
