[azinman2]

This defeats the point of 2FA if you can turn it off without that second factor. In your example, if you don't have that authenticated session then you're still screwed... so you must design for the worst case scenario. The risk of 2FA is losing a device, which is why a proper design has other safety backups, such as backup codes, or leveraging a combination of other accounts that can vouch for you and humans in the loop.

[baby]

> This defeats the point of 2FA

that's not true. You need to think of a threat model. 2FA still successfully prevents attackers that do not yet have a session to connect to your account.

So it is still a clear net benefit.

What it does not prevent, is attackers downgrading your account from a session that already exist. At this point it is easy to argue that if an attacker has this kind of access then the only thing you can do is add 2FA to all critical actions, not just removing 2FA (that would be the least of your issue), but every critical action you can do in the app.

For example if the app is a bank, and wants to protect against these kind of attacks, then they have to prompt 2FA every time you want to want to send money (at least).

[anon102010]

You already have authenticated your computer as the second factor. The article headline implies you can just use a password to remove 2FA. False.

You can use your password AND that authenticated and still valid session or device to do the reset.

Google gives you options with your free account.

1) No 2FA

2) 2FA with insecure methods

3) 2FA with security keys and authenticators.

4) Advanced Protection Program

5) Paid account options with additional options / controls.