[winternett]

> I don't really get your post.

That's because we are going down a rabbit hole far away from the original premise... We are talking mostly about social media here (as cited above) using 2FA... 2FA in more high value settings is a separate discussion.

In Private settings, 2FA can still be compromised by data scraped from social media, that catalogues data even on people who do not create social media profiles.

I am not arguing against the technical merits of how 2FA operates, but even with a Yubi Key, a user with system access can be compromised if they are physically extorted or abducted along with their key. The real world is a factor in security, it is not overcome by encryption.

I have listed several aspects of flaws to the security model in other posts here. Arguing about the technical bones of 2FA is a distraction/sidebar from those other valid points.