[xorcist]

> Two-factor auth wasn't even a commonly accepted best practice two decades ago.

Maybe, had you said three decades? But not two. It was already mature by then.

Two decades ago was 2003. Even consumer banking was online, and in many countries exclusively 2FA.

I've worked the banking space then and we absolutely had smart cards. Military and defense had them everywhere. Proprietary solutions had already gone away replaced by PC/SC. NT 4.0SP6 had support out of the box, because it was already a hard requirement for many customers two and a half decade ago.

[thrashh]

Sure. My dad had a 2FA dongle in the 90s too

But outside of government, defense and banking, who exactly was using it?

It was not on the radar of the vast majority of people. Most technology takes decades to filter through the world

[xorcist]

Well, the vast majority of people live in impoverished areas of the world, so in a strict sense that's true.

But it was absolutely a standard form of authentication already, and regarded as best practice security for those who cared about such things.

Which perhaps weren't that many, but then again, still isn't.

[unbalancedevh]

I had to use it in the 90s for a job I had at an automotive OEM.

[bearjaws]

I would bet most peoples first encounter with 2fa was 2013+, I didn't even have to use it at my job (in healthcare!) until 2015.