[dendory]

It's a bit of a catch 22, if you lose your iPhone then you need some way to locate it / erase it without having your iPhone. I don't think it's a big deal, you should have backups anyways.

One thing they could do is, if you have more than 1 device on your account, then force you to use another device for 2fa.

[derefr]

It occurs to me that the "use another device" verification process built into iCloud Keychain would work well for this. You could make the entire thing cryptographic, actually: just store each device's "erase code" in the Keychain, such that you have to auth yourself on one of the devices that has the unlocked keychain in order to (automatically) grab the erase code and send it to the associated device.

[ams6110]

You're still screwed if you lose both devices (e.g. a burglary where both your phone and laptop are taken).

[JumpCrisscross]

I'm still locked out of a 2FA-enabled Dropbox account. I broke my phone while my laptop was undergoing maintenance. Still have a log-in token on the encrypted drive of a laptop whose boot password I've since forgotten...

[atemerev]

I once left my bag with both inside. It surfaced in city's lost and found two months after, thankfully. But if I had 2FA enabled, it would have been mighty inconvenient.

[Symbiote]

I keep some Google and Github account recovery codes on a slip of paper with my passport, some more in my wallet, and all in an encrypted file on a server with SSH access.

Hopefully that's enough that I'm not too inconvenienced, should my phone be stolen.

[atemerev]

How often do you travel?

[Symbiote]

For holidays (6 weeks per year) plus one or two business trips (up to 2 weeks per year), plus about 1 weekend a month.

But does it matter?

Should my wallet and phone be stolen whilst I'm away, I can log in to my server using SSH (and a long password), then decrypt a file containing the backup codes (PGP with a long passphrase). Then I can access GMail/Github.