[AStonesThrow]

It is indeed the very epitome of sanity, if you simply consider that the codes are secrets, and this entire practice is derived from having hardware dongles with secure enclaves, where secrets go in but never come out. It is the utmost in security when this one-way relationship is observed.

The ability to export secrets is an unfortunate compromise which vendors make for consumer markets. The MFA apps were not designed for exportability. If you own any Yubikeys you will know this. The whole idea is that this factor is "something you have", in other words, possession of the item containing your secret. An exported secret is no longer a secret, no longer something you have; it's just another password you're shuffling around.

The reason that you don't lose access to accounts when losing your MFA apps is that you took down the emergency backup codes and you committed them to paper, or some other durable medium, in a place where they can easily be accessed during a crisis. You did this scrupulously with each MFA activation, didn't you? Didn't you?

[codalan]

In an ideal world, I'd just use Yubikeys for everything. The problem is that it's not universally supported (or only supports a limited number of keys), so now I have a hodgepodge of 2FA app or Yubikeys or, even worse, phone/email 2FA.

The great thing about Yubikeys is that I can associate backup keys for accounts (when they are supported), so if I lose one key, I can deactivate the lost key and use a backup key in its place.

With heavily locked-down 2FA apps, I have to hope I can do a full recovery on a new device, or go through the recovery code process, or start all over again w/ new 2FA codes. If I'm lucky, the app allowed me to have it installed onto a backup device.

It's way more complicated that just swapping in a new Yubikey.

[ValentineC]

> The reason that you don't lose access to accounts when losing your MFA apps is that you took down the emergency backup codes and you committed them to paper, or some other durable medium, in a place where they can easily be accessed during a crisis. You did this scrupulously with each MFA activation, didn't you? Didn't you?

Not all TOTP implementations, especially indie PHP websites, are robust enough to have implemented backup codes.

[AStonesThrow]

Well, that's pretty sad, but surely, in every case, there is some procedure that's delineated for account recovery when something goes wrong?

I have been dismayed at some supposedly professional implementations, such as when I telephoned Wal-Mart to ask what can be done if I lost my phone (SMS is their only 2FA) and they said that they were prohibited from changing anything in account settings or profiles, and the best idea was to create a new account. (That is crazy -- if you shop at a marketplace like that, they've stored all your receipts, your membership, a potentially years-long trail of paperwork that you may need for taxes, or reimbursement, or refunds later on!)

Even worse, I had a bad time with the United States Postal Service. If I recall correctly, I'd lost access to the registered email address, and I was requesting to change it to something within my control, and they said "no can do", and they told me that my only recourse would be to create a new account, so that's what I did. Interestingly, USPS offers 2FA via either email or SMS, and their SMS gateway service is frequently out of order, so I always use email when logging in there.

Once, around 2021, I contacted GitLab to inform them that their account recovery process was a backdoor to circumvent MFA. They denied any such problem. I suggest that any account recovery implementation be just as secure as the front door to sign in, but also not impossible, because why do you want loyal customers to lose their accounts completely?