[jabart]

This 100%. Yes those functions are easy but that isn't the issue with 2fa, it's the people. I just had a customer send in a ticket that their account from 3 years ago had 2fa enabled. They didn't remember setting that up, clearly had a new phone since then. These quick clickbait articles never bring up those subjects and how to properly address them.

Also had a firewall rule that dropped NTP packets and took 3 months for the click to drift before anyone with 2fa codes couldn't log in anymore.

[Wowfunhappy]

> These quick clickbait articles never bring up those subjects and how to properly address them.

Can you even address this without defeating the purpose of 2FA?

[spiffytech]

An email-based password+2FA reset loop is an option. The major motivator for 2FA is preventing replay of captured credentials for your own app, leaving out-of-band authentication permissible. Just hope the user didn't use the same password for your app and their email.

You could also try human-in-the-loop authentication by having the user describe their account contents to customer support. However, that's notorious for allowing account takeovers because people are always the weak point in security.