[vanilla_nut]

Two ways:

- a Yubikey - a sparingly used email account with no 2FA, just a very long password

2FA through the sort-of-secret email account lets me get back into Bitwarden (and thus everything else) even if my house burns down and I lose access to all of my yubikeys. And auth on a device that doesn't easily support yubikeys, like older iPhones.

2FA is very useful, but highly overrated. If you have a sufficiently long and complex memorized password (and the email platform actually lets you create one that's properly long, 40+ characters), it's unlikely that you'll have any problems unless you accidentally share the password somewhere.

Of course I feel like all my my precautions are moot when my bank and CC company force SMS 2FA. But I haven't found any with superior security schemes anwyway.

[jorvi]

> 2FA is very useful, but highly overrated.

What a bizarre statement. It protects you from any password leak.

If you have 2FA, even if you get keylogged or phished or breached or shoulder peeked, your intruder still does not gain access.

[vanilla_nut]

Sorry, but my Article and Walmart.com accounts do not need 2FA. I'm fine with OTP, but most places use SMS 2FA, which exposes a unique identifier for myself and -- due to SIM swapping, which is a risk on literally every major carrier due to horrible customer service operations -- often makes it easier for a malicious actor to hijack my account.

You're generally correct, though: GOOD 2FA is not overrated and I would welcome it on any account. But it's obnoxious that almost every account I have uses SMS as a singular point of failure. I'd welcome a move back to email 2FA with a backup email for account recovery.

[ckcheng]

Apparently MFA in practice mainly protects against credential stuffing:

https://hn.algolia.com/?dateEnd=1705017600&dateRange=custom&...

[aamir1rasheed]

Small side tangent - I’m on Mint Mobile and enabled 2FA for my account there, which is required for all customer calls. This would stop SIM swapping attacks which are the main failure point for SMS 2FA, right?

[jabroni_salad]

that depends entirely on Mint's 'lost 2fa' recovery process.

https://www.reddit.com/r/mintmobile/comments/104h7p2/locked_...

seems like some senior CSRs can still get you bypassed.

[TurningCanadian]

Passwords don't protect against spoofed login pages.

[cwbriscoe]

Yeah, if you type your password in manually. Password managers protect against spoofed pages though.