Two factor authetication is dumb. It invites poor disipline with reusing passwords and with 500 pound gorilla corps, losing your second factor is losing your account permanently.
Yup — and the standard phone authenticator app pretty much guarantees you'll lose your second factor one day, unless you always upgrade your phone before it breaks.
- Alice is currently reusing passwords, and does not use 2FA. Alice decides to set up 2FA, but keeps reusing passwords. Not ideal, but net improvement.
- Bob is using a password manager, but does not use 2FA. Bob decides to set up 2FA, and sticks to using the password manager for storing password. All good!
- Charlie is using a password manager, but does not use 2FA. Charlie decides to set up 2FA, and afterwards drops the password manager, and starts reusing passwords. Not good.
My guess is the Alice and Bob cases would be the majority. Do you think the Charlie cases would also be common?
None of this is true. It doesn't encourage password reuse but it does protect against it. I've also never found a single site that wouldn't let me reset MFA, even if the support process was painful and slow.
FWIW, password reuse with MFA is not actually that much of a problem any more. Neither is rotation (which was show to be a net negative). There's a whole set of NIST guidelines on the topic.
> I've also never found a single site that wouldn't let me reset MFA, even if the support process was painful and slow.
It's pretty common to read about people fully losing access to their Google accounts and often only regaining it by using internal contacts at the company (or being shit out of luck). I don't think even supporters of 2FA can discount how difficult (or impossible) it can be to regain access to 2FA accounts for certain providers.