[insanitybit]

> So you’re expecting people with bad habits in one area to magically have good habits in another area that only exists because they couldn’t properly solve the original problem.

Not really, no. I'm actually advocating against non-FIDO2 2FA entirely because a strong password is just as good and every browser has a password manager built in now. 2FA doesn't add security, SMS 2FA makes things worse.

[hn_throwaway_99]

Built-in password managers (at least Chrome's) suck:

1. These days, most people use passwords across browsers and native apps. In-browser password managers don't really support this use case well, at all.

2. At least in Chrome's, you can't manually add a password or add any notes.

3. Sometimes login domains change, and since the password is only tied to the domain (not a generic name), it's easy for passwords to get lost.

Again, nobody is really disagreeing with you that the situation is less than ideal or that there are more secure alternatives. But you seem unwilling to accept that a huge swath of the population sucks at secure password management, which is why SMS 2FA is a "lowest common denominator" option to improve security.

[insanitybit]

I think the main contention here is that I'd say users should just do nothing. SMS 2FA sucks and it's going to be a horrible tech debt that we're paying off for decades. We have better alternatives that, for a huge number of users, are perfectly acceptable. For everyone else, yes, they will have to use stronger passwords.

I really don't believe that there's some huge cross section of users who simultaneously:

a) Will go through the hassle of enabling and using SMS 2FA

b) Won't go through the hassle of using another 2FA method - email, totp, any smart phone for u2f, or a dedicated token

c) Won't use relatively unique passwords for high value websites, password manager or not

IMO SMS 2FA is, however, likely convincing users that they are safer than they truly are, and gives companies an excuse to do what's easy and not what's safe.

I mean, some banks even hand out hardware tokens to customers. I'd suggest that instead of SMS 2FA being treated as acceptable we add more pressure to improve the other systems, lower their prices, etc. Hardware keys should be effectively free.