[Thorrez]

>personal devices are regularly being used in many cases (Non Gov Furnished Equipment) as well, and that thoroughly defeats the purpose too.

U2F and WebAuthN protect against phishing. This protection applies regardless of whether you use a personal device or not.

Even more relevant, one of the main benefits of 2FA is securing people who reuse passwords. Similarly, that gained protection is not lost by using a personal device.

[winternett]

System rules can, and often are configured to prevent password reuse well before 2FA. They have also enforced password complexity for ages now before 2FA... 2FA was invented and foisted on everyone without real necessity and demand involved. Tying vital security to random, and often personal, mobile devices that aren't properly secured and registered is reckless. Text messages also aren't properly secure, neither is Wi-Fi and Bluetooth in many cases... It's not logically sound to say 2FA creates additional security in any other sense but within the technical complexity added to authentication.

None of what you mentioned is advanced security if user phone numbers are stored and accessible along with their personal data.

Social engineering alone from being able to call and text users and socially engineer access to their accounts through scams with the sheer amount of personal data that social sites and apps greedily and unnecessarily collect on them.

Social media surveillance is a gold mine of data for a social engineer these days, specifically BECAUSE of how invasive it is. 2FA does not protect it, it only creates a secure log in, it does not secure data beyond verifying a user has the phone tied to the account. A mobile device is not a footprint nor proof of ID, it can be physically lost or stolen, or even cloned, which has happened often.

[Thorrez]

>System rules can, and often are configured to prevent password reuse

How? And even if it's not verbatim password reuse, people often choose extremely similar passwords such that given one password, the other one can be guessed in a few guesses.

Password complexity requirements don't stop password reuse.

>Tying vital security to random, and often personal, mobile devices that aren't properly secured and registered is reckless.

I agree that SMS is the worst form of 2FA. There are others though.

>It's not logically sound to say 2FA creates additional security in any other sense but within the technical complexity added to authentication.

You're conflating SMS 2FA with all forms of 2FA. There are other forms. The biggest threat that people face today is phishing. That's stopped by U2F/WebAuthN. One of the next biggest threats is credential stuffing. That's stopped by all forms of 2FA, regardless of how weak SMS is.

>Social engineering alone from being able to call and text users and socially engineer access to their accounts through scams with the sheer amount of personal data that social sites and apps greedily and unnecessarily collect on them.

U2F and WebAuthN protect against these types of phishing attacks.

>A mobile device is not a footprint nor proof of ID, it can be physically lost or stolen, or even cloned, which has happened often.

So use a different type of 2FA than SMS.

[Linosaurus]

> System rules can, and often are configured to prevent password reuse well before 2FA.

That does not at all help people who reuse passwords from one site on another.