[loup-vaillant]

How exactly in scenario 1 would the service protect itself against sock-puppets? How can they make sure that two different accounts are tied to two different users? How do they prune "false" accounts? We see that kind of stuff being done by Facebook for instance (real name policy), and it has basically nothing to do with MFA.

In scenario 1.5 the service has to make sure users are protected. I believe it is counter productive there to force users beyond some reasonable step. For instance, it would be unacceptably discriminatory for a bank to require users to have an Android or iOS phone application to be able to make payments online. (Flip phone users should not be second class citizens.)

Scenario 2 is almost exclusively about employees. Issuing hardware to employees is not difficult. I have 2 company-issued laptops, one from my company, one from my client. If my client wanted to increase security, it would be trivial for them to just give me a USB security key, and it would be trivial for me to just plug that key and touch it whenever there's a pop-up saying I should touch it. I don't see the difficulty here.

In fact, given the choice of installing Okta on my personal phone, or using a security dongle, I would take the security dongle every time. Not only does it better separate work stuff from personal stuff, it's actually more convenient.