Two-factor authentication has had a bad couple of weeks. Not only was a prominent developer, Justin Williams, forced to defend a phishing attack against him to PayPal and AT&T, but it's becoming increasingly clear that SMS-based two-factory authentication is a new vector for hacking.
As a result, Google is doing something about that: since SMS-based two-factor authentication is more susceptible to phishing attacks — someone could potentially intercept a text message or clone a SIM card, as is what happened with Williams — the company wants people to switch to prompt-based verification:
Starting next week, 2-SV SMS users will see an invitation to try Google prompts when they sign in. The invitation will give users a way to preview the new Google prompts sign in flow instead of SMS, and, afterward, choose whether to keep it enabled or opt-out.Overall, this is being done because SMS text message verifications and one-time codes are more susceptible to phishing attempts by attackers. By relying on account authentication instead of SMS, administrators can be sure that their mobile policies will be enforced on the device and authentication is happening through an encrypted connection.
Basically, prompt-based verification is secure, and cannot be intercepted since it runs through Google Play Services. The only way this could potentially be a security issue is if someone steals a phone that is registered to accepts 2FA prompts from Google, but it's really easy to deregister a device from any web browser should that unfortunate event occur.
Two-factor authentication: Everything you need to know
