I am requesting the ability to disable "Google Prompts" (Push notifications) without signing out of my mobile devices. Currently, Google defaults to Push even when a more secure TOTP (authenticator) or hardware key is available. This creates a high risk of "Push Fatigue" attacks where a single accidental tap grants unauthorized access. Users should have the option to choose their primary 2FA method for high-security accounts.
I believe this lack of control over 2FA increases the success rate of Account Takeover (ATO) attempts, as attackers can exploit Push Fatigue during the credential recovery process. Unfortunately, my Gmail address has been compromised in a number of third-party breaches, and I am subject to frequent ATO attempts. Because I use VPN, a push notification alerting me to a login attempt from a remote city is not necessarily a red flag for me. But the bigger concern I have is the inadvertent tap--my screen wakes up, my left thumb is in the wrong place, and I’ve given the attacker the keys to the kingdom by accidentally granting them access to my Gmail account.