Such a bizarre app. Instead of implementing push notifications in the "Google Authenticator" app, Google decided to add the logic to all other apps like YouTube. Before we introduced Okta, our users would get notifications like "Open the YouTube app on your phone to approve this login".
Whilst clever for the people who don't have Google Authenticator installed, it's just bizarre to ignore it when it's there.
They also once bizarrely replaced the `com.google.android.apps.authenticator` package with the new (and still used) `com.google.android.apps.authenticator2`, making everyone set up their accounts all over again or forgo updates: https://www.androidpolice.com/2012/03/22/psa-googles-authent...
Google's preference of their weird, bespoke authenticator over TOTP is also very annoying to anyone who would rather not. (it is required to add any additional authenticators, and the default authenticator)
TOTP are still phishable, the push notification includes information on where you're logging in from, so you at least have a chance to notice that the login is coming from Croatia and not your house.
Just because it's more secure doesn't mean I want to use it: it's poor UX, especially for those of us who don't carry a phone around 24/7. Even if you use FIDO or TOTP, it will always prioritise push notification and AFAIK you must enable push notification to use any other type of MFA.
Plus (unlike TOTP and FIDO), it's proprietary, making it harder to fit in my workflow. For instance, I can generate TOTP codes from my computer in order to seamlessly sign-in to services.
Any attack that can intercept TOTP codes (= some kind of MITM or local device compromise) can also request the unwanted actions with the IP of your device. All this does is prevent lazy attacks.
With Google Authenticator, there is no notification, is there? As a user, you have to open your phone, open the app, then scroll to the right code, and copy/paste it. (The lack of search in one of the reasons that made me switch to Aegis)
I always thought Okta was kind of weird, because it's just a notification that says "allow/deny" and it's easy to click the wrong one.
It's possible I'm confused by GP, but there's two things being discussed here I think:
First, Google Authenticator, which is in fact just totp which can be used for both Google 1p and any 3p TOTP thing. And second Google's push-notification based auth checks which are used for only certain 1P Google apps (like logging into your gmail or youtube).
I'm not sure what Google is trying to belatedly do with Authenticator at this point. But making it less of a support nightmare is a good thing. And I expect somebody (finally) got pragmatic about it maybe not being ideal that users get locked out of all their critical accounts every time they loose their phone. I bet that generates a lot of support overhead for them.
2FA setup in general is a PITA to support with users in the real world. I speak from experience. It's too complicated. Too many different steps involved. People get stuck doing it. People get locked out of their accounts. Etc.
Most people with a clue would not use Authenticator but one of the many alternatives that do the same job but with a bit more convenience (like syncing secrets between devices).
I tend to use Authy. And of course Okta actually acquired Auth0, which created Authy. But you could also use many common password managers for this (except of course the Google or Apple ones people actually default to on their phones).
Meanwhile, Google, MS, Apple, and others are also pushing hard for passkeys. That seems more promising. But what worries me is that they regard this as a browser thing. So that still leaves a lot of mess outside of browsers. As well as their legacy of other supposedly user friendly ways of signing in. At this point most of them de-emphasize 2FA actually. Because it is such a support nightmare.
Whilst clever for the people who don't have Google Authenticator installed, it's just bizarre to ignore it when it's there.