Necessary but evil. My workplace had a million headaches implementing an email-based 2fa system. So many automatic services blocking our emails, so many people who are tech illiterate who cannot understand 2fa, and all of their calls got sent to me and my team despite none of us having technical support experience. However, it has massively increased the security of our site, while allowing us to finally implement a way for people to unlock their own accounts if they do have too many unsuccessful login attempts. The juice is worth the squeeze.

I get why 2FA is adopted so widely: companies need to cover they asses. Even if you don’t care if a hacker gets ahold of your password for a flash game website, that password leak could cause issues later on, and opens the website up to responsibility.

What really bothers me more, is that 2FA is relying so heavily on phone numbers, which is an extremely flawed security system. At least some of the larger companies are open to using authenticator apps, or sharing the private key for storing in a database. But so many websites do 2FA by “requiring a phone number”, which just puts a lot of security responsibility on the phone carrier now. The user doesn’t really gain any extra responsibility for having good opsec, because phone companies fuck up all the time and assign phone numbers to new sim cards all the time, often on concerningly small amounts of information

I dislike it. I already have a unique, long, randomly generated password for every account. That’s stored in a password manager with a unique, long passphrase. 2FA provides very little additional security in that scenario.

Worse, many services won’t let me use a standard TOTP authenticator. Some insist on SMS. Worse, some insist on their own app.

I just hate it when the only 2fa option is my phone number.

Its fucking annoying that I need my phone surgically attached to me at all times, to do fucking anything on the internet, especially anything important.

This combined with constant logging out is driving me nuts, I truly only have one device that can actually log into everything, all my other devices are logged out so frequently theyre unusable.

They been a disaster for the elder and homeless community. Many of them have no cell phone and only login once a week and 2fa makes it pretty much impossible for them.

I get it, but fuck it’s beyond annoying sometimes. Its also impossible for homeless/at risk people who dont hold onto phone numbers or 2FA apps.

With luck they can guess an email password or reset it. But when 2fa is tied to a mobile 3 numbers ago, or needs the exact same device. Its fucked

Then you have to call the government (verbally Thanks for gov accounts) who are increasingly hard to get hold of coz its all a robot phone tree telling you to go online. Then when you so get someone you have to provide ID (thst they may or may not have a copy of) and start again.

Every time. Its near impossible.

I hate it. I already agreed to use unique unmemorizable password for every account and store them all in Bitwarden and now this is not enough? Yeah, I store my email password in Bitwarden too. With phones it’s even worse, since it’s way more probable to lose your phone than to lose your money due to database password breach. I don’t understand why those probabilities are not estimated when introducing practices like this. Also, I don’t remember the details but in the past I lost some accounts and passwords just by factory resetting the phone which had password manager app installed (probably forgot to transfer passphrases from the phone before wiping it).

Hate it. Or at least several implementations.

Apps that email and must open the emailed link in app? Sucks when phone is set to block links opening apps, or the address is not configured on that phone.

Many apps store too much data.

While they are annoying unfortunately we live in a world where username+password is not enough for anything that has to be remotely secure.

I’m guilty of password reuse. I’m guilty of choosing weak passwords, my desktop computer has the password “1” because I had to set something.

I don’t have any issues with them. What I do take issue with is companies enforcing them with the assumption being you will use your own mobile device to authenticate for them. I feel like it’s not worth the stink to complain but both places I work for require 2fa now and I need the authenticator app or get a message to my phone.

Absolutely necessary.

It should be required everywhere.
Username+password alone is not safe.

Bitwarden will only ask for 2fa when signing in from a new device.

Disagree. So much money is lost because of simple password auth. Mandatory mfa fixes nearly all of it.