[Spivak]

Why worry about people affording it? TOTP hardware keys are super cheap, just give them out to people without phones at the local BMV. There are some that are credit card sized and one battery lasts 5+ years.

Alternatively there are a number of desktop based 2FA clients:

- Authy - GAuth - JAuth - WinAuth

[always_good]

The thing you're missing is that you're still at the mercy of the establishment with which you're authenticating. Just like how my 1024-character banking login password doesn't stop my bank from giving someone else my debit card.

To suddenly arm a bunch of people with a new authentication paradigm like hardware keys would just result in a lot of people losing them and then having to go through the establishment's reauthentication channels anyways, which are the weakest link in these systems. And the influx of people needing account resets further degrades the security of the channel the same way you stop asking to see IDs when customers are paying with credit during the lunch rush.

It's not a free lunch.