[steventhedev]

> If you are building consumer grade software, go with a reset procedure through email. The consumer is responsible for keeping that secure. If their email gets compromised, it can't be your responsibility.

That defeats the whole point of 2FA.

[move-on-by]

I'd say on average anyone who is concerned enough about their security to turn on an optional 2FA feature is also going to have 2FA enabled on their email as well. If I were only allowed to have 2FA enabled on a single account, it would be a very difficult decision between my password manager and my email. As you point out, email access is the key to the kingdom. Also, the only password that I do not put in my password manager is my email account password.

[LeonM]

I don't agree.

If my password for <random_consumer_service> gets compromised, the attacker can not login at <random_consumer_service> due to the 2FA. To 'defeat' the 2FA, the attacker must also know my email address, and password, and have access to the 2FA of my email account.

Your email inbox is a SPOF to most services you use, if it's compromised, you are fubar anyway. That cannot be the responsibility of the creator of <random_consumer_service>.

[CharlesW]

> That defeats the whole point of 2FA.

Does it? I think of "security" as a relative thing, and would rather be more secure than less secure even if imperfectly secure (which isn't possible in any case).