[ahelwer]

That's true, but I single it out because:

1) Many people have had their Gmail account for a long time, starting before SMS-based 2FA was widely known as a security disaster (this is in fact still not widely-known)

2) Google still actively encourages users to add a recovery phone number

3) Users could have added a phone number years ago then forgotten (this was the case with myself)

4) Users often have many websites using their Gmail account for password-reset workflows (this is definitely the case with myself)

All of these combine to make Gmail the ideal hacker entrypoint. See this hack: https://www.reddit.com/r/ethtrader/comments/8klw4f/someone_j...

[gruez]

>2) Google still actively encourages users to add a recovery phone number

i would consider the average person to be pretty bad at handling otp backups. how else would you do recovery?

[ahelwer]

You are correct this is a significant usability issue. Personally I use Authy, which performs automatic encrypted backups in case I lose my phone. I then have to remember my Authy recovery password (not stored in my password manager, which is itself secured with a TOTP - hello circular dependency danger!) I also keep a yubikey authorized with all my accounts as second backup.

All these things are beyond what the average person wants to worry about, as you say, but HN readers will find it simple. Personally I'm hoping U2F (Yubikeys) are the future, since your average person certainly understands the concept of a key.