[PaulHoule]

My wife got kicked out of PayPal for no good reason 15 years ago. I think she could have reinstated it if she sent a fax but she wasn't about to send a fax.

If you want to know why people aren't adopting 2FA, it's because we know it's just a matter of time until the hole that attaches your Yubikey to your keyring wears away, your Yubikey disappears, and with customer service that amounts to "talk to the hand" at many sites, it's a digital death sentence.

[robalfonso]

Because of this, I make a point of having 3 2fa keys. A daily driver, a backup key on a key ring and the final one in a fireproof safe. Like you I would be afraid what would happen if I lacked my key.

Companies need to at least clarify “what happens if I don’t have my key” also one time codes are a thing that need to be saved and can help mitigate a hardware failure.

[wackget]

Great for you, but you have to realise that the average person can barely even remember a single password. That is not a solution suitable for mass adoption.

[jmurphyau]

I would see Apple's recent addition of 2FA support to iCloud passwords would be a good (and maybe the only) 'average person solution'? MS Authenticator is also good as you can sync it and if you get a new phone you can get the same 2FA codes again

[thelittleone]

Amazing that in 2021 there are few better alternatives than have 3 x 2FA keys.

[Alupis]

What would be that alternative?

The point of 2FA is "something you have"... if you lose it, you no longer have it. It's designed to lock you out if lost/stolen... otherwise, what would be the point?

As an aside, 2FA keys are not what most people use... they use cell phone numbers, time-based rolling-code authentication apps, email addresses, etc. It's your choice to use a physical key, even if it might technically be the most secure of the options.

Security is always a trade off with convenience.

GP seems to not understand the point of 2FA. If you can simply call up customer support and maneuver you way back into a locked account, then so can the "bad guys". Any information they have about you can be found by a determined attacker... hence, the "something you have" approach.

[derekp7]

Ideally I'd like to be able to register my physical token with the manufacturer and have them send me a replacement based on sufficient identification. Things like ordering the replacement with a credit card in my name, sent to my mailing address, vouched for by a notary public, and/or anything else that I check off on the list of factors I find acceptable when I send them my registration form.

The alternative is for me to use TOTP and have the secrets printed out, lightly encrypted, and stored in a safe deposit box.

[Alupis]

In order for this plan to work, the token manufacturer would have to be able to store your secrets, which means you uploading your secrets, which defeats the purpose of physical tokens. Just use a cell phone number one-time-code or authenticator app with time-based-codes instead.

[jackson1442]

You can enroll your phone and some laptops with most sites, so it's def getting better.

[kevin_thibedeau]

I wouldn't depend on long term data retention of flash memory. You should have a passphrase encrypted printout of the contents as well.

[Jach]

Why wasn't she about to send a fax?

I don't think wear-and-tear is why people aren't adopting them. I have a yubikey from Mt Gox (yeah, the btc one) that I've just left on my keychain all this time. My keychain is not treated gently, and it's been through the washing machine more than once... yet the hole is fine, and plugging it in now, it still functions and delivers its gibberish after a touch. I don't know what the expected lifetime should be.

I can't really speak to other people, but I personally avoid adopting 2FA because 1) most of my passwords are strong 2) it's not true 2FA, instead of yubikey it's some shitty SMS system or more uselessly a TOTP system whose key I can add to a bash script that'll use oathtool and xdotool to enter it for me with a hot key press 3) it's some shitty app that requires my online smartphone 4) I worry about the opposite case where services are so forgiving to restoring access that even if you have a brain aneurysm and forget the password and your yubikey bursts into flames they'll still let you in after a phone call -- if my account access can be socially engineered that way anyway, I don't want the additional annoyance of dealing with 2FA.

[quisquous]

Yah, that sucks...losing access to PayPal can be really bad depending on your situation.

My brother got kicked off Facebook a couple weeks ago because his account was hacked and they couldn't decide who was legit and who wasn't, so they just threw up their hands and shut down his account. It hurt because he used Facebook a lot.

I agree that 2FA doesn't solve the problem of companies deciding not to invest in good, considerate, human, security conscious, customer support. More technology isn't always the right answer, especially when it comes to questions of companies harming and then dehumanizing their customers because it's cheaper than doing than the right thing.

[kingcharles]

On the flip side, if you're putting enough money through your account PayPal will give you a VIP account manager who will make sure everything is great and will go to any lengths to keep your account working for you, regardless of whatever the fuck it is you are selling. Even if you were running one of the world's largest TV show torrent sites. PayPal would ask for an account so they could look around and then they would be like "All good! Keep going!"

[omgmajk]

I got in trouble with PayPal in... Like... 2007 maybe, not entirely sure when. I remember that I never got an email about it, the account was just restricted one day when I logged on to make a purchase and they asked for A LOT of papers and faxes and scans to unlock it again. I never got an explanation for that but since then I never had a problem again.