6

When I log into my Google account from my laptop with 2FA enabled, I usually get a prompt on my smartphone in order to confirm the log in. I tap OK and then I am logged in.

However sometimes I am not immediately logged in after that. My laptop then shows a screen like this:

screenshot from laptop

Then on my smartphone I get something like this:

screenshot from smartphone

(It is not always laptop+smartphone. Actually in this particular case I was logging in to Google in a webbrowser from my smartphone, so everything happened on a single device).

I wonder what Google is trying to achieve with choosing a number. What type of attack would be averted by this?

I tried to Google something about that, but I found nearly nothing at all. (One not-helpful twitter post is what I found)

Improve this question
1
  • (Nearly) unbelievable Google crap. Now I'm getting "Tap the number shown on your other device". But what other device are they talking about? Genius. Really pissed at Google right now. Commented Jan 7, 2024 at 16:26

1 Answer 1

Reset to default
8

I wonder what Google is trying to achieve with choosing a number. What type of attack would be averted by this?

It can protect against two things:

  1. People blindly selecting yes when some attacker has attempts to gain access.
  2. Someone stealing your password and attempts logging in same timeframe as you.

In case #1, it will stop people from just selecting yes to get rid of the request. Or, at least it will fail 2/3 of the time.

In case #2, it will reveal that the login session is not the same as the user is expecting, because the number shown on the users screens will not match. With the previous yes/no prompt, with some information about the session environment, it was more difficult for users to tell what session it asked about.

Improve this answer
5
  • 1
    People blindly confirming security-critical prompts is a much bigger issue than people realize. Commented Sep 21, 2021 at 11:02
  • 1
    Makes somehow sense... On the other hand... Why two prompts? Why is it not already the first prompt that does the number game? Commented Sep 21, 2021 at 13:35
  • What two prompts? Commented Sep 21, 2021 at 15:20
  • @vidarlo: First I get the normal prompt "are you trying to sign in" with a simple yes/no button, then after that I get another prompt (the one shown in my question). Commented Sep 23, 2021 at 5:25
  • @yankee It seems like the "Are you trying to sign in" is a lower-security prompt, good enough for some things, but the "Choose the correct number" is Google's equivalent of "Hey, you're doing something suspicious like using a new device, here's a 'captcha' of sorts." Commented Jul 3, 2024 at 14:59

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.