This may be an area where government regulation is needed, because otherwise service providers have the wrong incentives. Many service providers save a lot of staff costs (for staff who would otherwise be working on any aspect of recovery from account takeover attacks) by requiring a 2FA technology that's acceptable to a huge fraction of their user base. They have no economic incentive for allowing anyone to opt out of 2FA. Regulation might, for example, consider these three factors, among many others:<p>1. If users rely on the app for basic needs of existing in society, then 2FA must not be mandatory. A user who remembers their password, but has absolutely no continuity of any physical possessions or physical location, must be allowed to login (unless there has already been an account takeover that caused damage to the service provider). Some level of government subsidy might be available to service providers who can meet this requirement.<p>2. Apps that are more specialized or recreational in nature can make 2FA mandatory.<p>3. 2FA can be mandatory if the service provider does not obtain any revenue by offering the app.<p>(These are just initial thoughts, not a complete specification of what regulations would be reasonable.)
> The assumption that people will have consistent access to the same mobile number simply isn’t true for a lot of people.<p>Why does this matter, unless the only options for 2FA are insecure ones? Secure 2FA today won't depend on your phone number not changing.<p>> Phones cost money. So do phone plans.<p>Google Authenticator and FreeOTP work even without network connectivity, so no phone plan is needed.<p>> Phones break or get stolen.<p>Isn't this what backup codes are for?<p>> it's an act of marginalization<p>Is requiring that drivers carry liability insurance also "an act of marginalization" since it's a problem for people who can't afford to?<p>And from a reply:<p>> My grandfather is literally locked out of a bank account right now because he no longer has the right phone, cannot remember his secret answer, and cannot physically visit a branch of this bank.<p>Isn't it actually a good thing that under those circumstances, he's locked out? If he could get into his bank account without any of those things, then couldn't someone who's trying to impersonate him easily do the same?