[chii]

> user aversion to 2FA is often rational.

The account recovery process should be setup at the start of the 2FA setup - e.g., you get emailed a bunch of backup codes (easiest way imho).

The site should not be using their own 2FA app, but use a standard OTP implementation, and let the user use their own OTP app (most people default to google's authy, but there's a couple out there that are common too).

Or, as an alternative, delegate the login to email and use a password-less login mechanism (effectively delegating the account security to the email's security). I argue this is actually more convenient, but some people (esp. young people?) have an aversion to email which i don't understand.

[2devnull]

“I argue this is actually more convenient, but some people (esp. young people?) have an aversion to email which i don't understand.”

Uhaul does this and it’s maybe the only good I can say about Uhaul. I think the catch is that some people don’t use email (or much of anything) on their mobile phones. Most will get sms immediately wherever they are at. Not everyone uses email that way.

[shushpanchik]

Emailing backup codes doesn't sound like a good idea. You give the keys to the kingdom to email provider or anyone who would be able to access your mailbox.

[chii]

If the email is busted open, then it would already have been possible to do a a forgot password recovery (which i presume uses emails).

Therefore, backup codes are no less secure than that.