[kstenerud]

... Until you drop your phone and it breaks. And now you can't set up a new phone because you need to tap the notification sent to your old (now broken) phone in order to set up your new phone.

I've already had this happen, which is why I use hardware keys now, and a backup phone.

[nine_k]

Do you mean, you don't print these rescue codes which every 2FA thing keeps nagging you about? You don't have a printout in your wallet, or in your folder with important papers? Not even as a secure not in your password manager?..

[kstenerud]

Nope, because I was grandfathered into it when Google switched it on for everyone without saying anything. You can still access gmail and such; you just can't set up any more devices without having some kind of 2fa.

Now I have a hardware key. I wouldn't dare keep rescue key codes (which can't be revoked) in my wallet.

[nh2]

Can't you just use them to revoke them?

[nine_k]

You can't revoke them if the paper is in the wrong hands, and you don't have a normal access to your account. (Well, they are much like a password in this regard.)

It's just different risk profiles. Your biggest risk might be to drop your phone and lose all the 2FAs in a Google Auth app. Or your biggest risk might be losing your wallet to a thief or robber who is going to hijack your accounts.

[bootlooped]

I think the chances of the kind of person who steals your wallet also being able to leverage pilfered two-factor authentication codes to hijack your accounts is almost zero.