[Al-Khwarizmi]

This is one of the various reasons why I dislike the encroaching mandatory 2FA.

Mind you, I have no plans of spending days without a smartphone, and maybe I'll never want to do that, but I don't like the way in which 2FA is making it outright impossible. It should be my own business whether I want a phone or not, and now it's becoming outright mandatory to interact with society (I can't even log into my workplace without 2FA). Another freedom that vanishes.

[hnlmorg]

2FA doesn’t require a smart phone. It just requires a second form of authentication.

TOTP (the one time codes that are common methods of 2FA) don’t even need a smart phone. You can store them in most password managers, if you wanted to.

With regards to other forms of MFA, you can use email, SMS, hardware keys and I’ve seen some banks use a second password (which is dumb but probably no worse than email or SMS). Some sites just ask your for “memorable information”, which is also terrible in my opinion.

It just so happens that TOTP is the best second form of authentication because it is both secure but also cheap.

If you don’t want to store those TOTP codes on your smart phone then you can store them in your password manager or buy another physical device just for 2FA. I wouldn’t normally advocate storing your 2FA codes with your passwords, but that’s still better than not having any second factor of authentication at all.

[indigo945]

You can, if you really care about this, get a dedicated hardware to store your TOTP tokens (for example [1]). There's also various open hardware projects (like [2]). Or you can just use an old smartphone without a SIM card, which probably doesn't "interact with society" any more than the website you're trying to log on to in the first place.

[1]: https://www.token2.com/shop/product/molto-2-v2-multi-profile...

[2]: https://hackaday.io/project/176959-open-authenticator

[drhuseynov]

An offtopic - since you mentioned hardware. It is better to invest in phishing-resistant FIDO2 devices and try to avoid OTP wherever possible.

[MattGaiser]

You could only have that if your bank account being emptied by someone knowing your password is your problem, not the bank's problem or employees forgoing 2FA carried the liability for their passwords leaking.

If the bank has to be partially responsible for your access credentials and your workplace is going to get in trouble from you reusing a password, of course they are not going to let you have much freedom here.

[Al-Khwarizmi]

I don't buy that argument, to be honest.

Firstly, before online banking existed fraud was quite common, and this dind't make banks unsustainable. And indeed, one of the key points that made people trust credit cards was that the bank had your back if someone emptied your account somehow. I once had fraudulent charges from a country thousands of kilometers away, on a card that I hadn't even used (so there was no chance it could be my fault). I just flagged them as fraudulent and the bank returned the money a few days later, no questions asked.

Secondly, even if you are a security expert with great password practices, do you really want your banking security be considered just your problem? What if one day your account is hacked through no fault of your own, because of some breach/hack of the bank's systems, and the bank denies it, giving you full responsibility? I think it's extremely dangerous to give banks the option to do that. Fraud should always be the bank's problem by default, unless they can prove that the user was negligent.

Thirdly, even if we accept the assumption that 2FA is needed for security, there are more ways to do 2FA that don't involve a smartphone - for example with a physical device, or with a coordinate card. The fact that most 2FA (at least where I live) is mobile-only, and even banks that used to offer other choices are now moving to mobile-only, is evidence that there is a motivation beyond security, they want to make smartphones mandatory.

[em500]

I have an old iPhone SE (2016) in the drawer at home, with a backup Google Authenticator and passwords backup by iCloud. It doesn't need a separate phone plan, or even any other network connection to function as a backup 2FA/password manager. Network (wifi) access is useful to keep the password data synced (which I scheduled for myself to check manually once a month).