My rant with that is that the normal, regular user won't configure the fall-back solution. Nobody remembers to write down those numbers-and-codes; when they do, they don't keep it safe and leave the paper over the desk.<p>When you travel abroad, is out of battery, break your phone, etc, etc, you're 100% out of your digital life until you can overcome the 2FA limit. And this happens in the moments you need it most.
My bank mandated some “phone code” for a transaction; only problem was that it didn’t arrive. So I tried again and again. 20 minutes later, like 7 of the things arrived all at once on my phone. The bank locked my account for “suspicious activity”, and it could only be unlocked with a phone call. Then I call them, the minimum estimated wait is 50 minutes (oh, and the estimate got worse each time I tried later; and they are not open on Sundays). It ended up taking days to fix something caused by THEIR unreliable mechanism.<p>I also had an issue with an account that had a 2FA option but via an app that proved dangerous because I accidentally forgot about it when switching phone <i>devices</i> (same number) and just about locked up my entire account trying to get it working again.<p>If you mandate 2FA, it has to work and it has to leave the customer better off. If not, why bother?
2FA sucks for so many reasons. Privacy is destroyed and losing your phone is multiplied into an even bigger disaster.<p>But just say "no" to Google and a lot of the issue goes away.
If its SMS we're all fucked. Cell carriers are not hardened against attack and nobody's life savings, communication, social life, etc should be wrapped up in their incompetence.
Wasn't there a wave of articles just a few months ago about how it was time to give up on two-factor because phones/sims were too easy to hack, spoof etc? Regardless, the day a service or site (other than my bank) requires a phone or other physical device to be tied to my account is the day I stop using the service. It's a profoundly bad idea for so many reasons. Passwords are like democracy: the worst idea, except for all the others.
The blog post from google: <a href="https://www.blog.google/technology/safety-security/a-simpler-and-safer-future-without-passwords/" rel="nofollow">https://www.blog.google/technology/safety-security/a-simpler...</a>