[acdha]

> It was never protection against a lost password combined with a stolen device.

I don’t know where you’ve worked but almost every time I’ve been in a discussion that’s an explicit goal. The most common situation being where someone loses a laptop but not a token or phone.

Even in the case where someone gets the phone, note that phones have fairly strong protection against reading private data directly and 3/5 of my auth apps and my password manager have require both the device and a passcode or Touch ID authentication to open so its non-trivial to get either codes or passwords out of a device. On iOS at least it’s been many years since “an unencrypted phone” existed so there aren’t simple ways to get around this which don’t just devolve to some form of “if the CIA/Mossad/etc. target you but inexplicably choose not to hold a gun to your head until you unlock the account”.

[clinta]

In the hairy world of Android things are much less certain. Encryption is optional, and root access is available which can be leveraged to backup the unecrypted contents of any app, including Google authenticator. I'll agree, an iPhone is a very good secure second factor. But I don't see anyone getting as passionate about not using an android for second factor as people get over using a computer. Which to me seems totally unjustified.

Especially since most enterprises own their employee's laptops, but not their phones. The administrator can manage and mandate full disk encryption on the PC. But if the employer offers TOTP for a second factor, they have no control over what device holds those TOTP codes.