[ndm]

Expecting everyone to jump through the hurdles you describe is why we're in this terrible state we are in today. It's just not practical, affordable, or even possible for many.

$38 is a lot of money to a lot of people. Some people just simply don't have a safe storage space either.

[DennisP]

To some, but I wouldn't have called $38 a lot of money even when I made $8/hour. Note, however, that my approach doesn't require spending that $38, since stored backup codes with Authenticator are also a workable solution. Anyone in the U.S. who owns a smartphone or computer with internet access isn't likely to be so poverty-stricken that they can't easily afford $20/year. Storing copies in a couple less-secure places is another option.

In any case I'm not seeing how outsourcing the backup token to another site is much of an improvement compared to not having 2FA at all. In this case, either:

- You set up 2FA with Facebook as well, in which case you're still locked out if you lose the device, or...

- You don't set up 2FA with Facebook, and that allows someone to bypass the 2FA on Google by just guessing your passwords.

So this seems to me a very marginal benefit over just skipping 2FA in the first place. If you're not willing or able to deal with real 2FA, then why pretend? Just set up a free password manager and leave it at that.

[ndm]

You seem to be failing to acknowledge your privilege to live in the US and earn $8 an hour. There are people who live outside of the US and earn far less. Also, delivering a yubikey might be actually impossible.

> - You set up 2FA with Facebook as well, in which case you're still locked out if you lose the device, or...

Not necessarily. What if one was totp and one was sms? What if you forgot to setup one but not the other? Also, 2FA on Facebook is not required to use this feature. I have been in this situation before.

> - You don't set up 2FA with Facebook, and that allows someone to bypass the 2FA on Google by just guessing your passwords.

This is based on partial information, which I admit has not been well publicized. Facebook implements a time-based lockout after a password is recovered allowing a user to notice activity. It will also issue a "step up challenge" for risky users. Must be known device, known location, etc. or another factor is required to initiate recovery. Those with 2FA will answer a 2FA challenge, those without will fall back to other means or simply not be able to initiate a recovery.

> So this seems to me a very marginal benefit over just skipping 2FA in the first place. If you're not willing or able to deal with real 2FA, then why pretend? Just set up a free password manager and leave it at that.

Password manager adoption amongst the world is still terrible. This is an option that anyone can use without any additional tools or tricks.

[DennisP]

If you want to limit your security to what's achievable by destitute third-worlders, fine, I'm just saying it's not my choice.