I get that <i>most</i> people have them and carry them around, but it still seems like a naive solution given that they can be lost/dropped/broken/stolen so easily.
<i>Can</i> be, but .. if you consider the rate of loss of phones amongst people who know and understand 2FA, is it, or is it not better than single factor login?<p>The absolute loss rate of phones has to be contextually understood.<p>Also: what do people do when they lose their phones? They notice, and they rapidly cancel them out. So.. if you didn't keep the backup codes you are SoL but if you did.. the 2nd factor can't be abused.