[mindslight]

Not force nonconsensual authentication methods onto users.

Google is one of the rare places I actually see positive value to 2FA. Compare with say banks, where it being demanded actually decreases my security. But regardless, it should not be forced.

[deepsun]

As for the banks I doubt it decreases security. Even SMS 2FA actually reduces fraud by 90%+ percent.

Yes, some banks implement it silly, like SVB requiring biometric login in order to scan one-time QR 2FA code from their app (biometric login is less secure), but you don't have to use the QR code, can use regular 2FA without biometrics.

But even then having 2FA is 42 times better than not having it.

[mindslight]

For US banks, the most important thing you can do to prevent fraud is to check your account transactions every 30 days so that you can report fraudulent transactions in a timely manner and have them reversed. Anything that increases friction of logging into your account thus decreases your security.

[deepsun]

But then millions of users would stay unprotected from password sealing (see https://haveibeenpwned.com/).

They certainly did a proper thing forcing people to use 2FA AFTER multiple emails over the years recommending to turn it on, and warning that they will enforce it, which they did.