I don’t mind the extra layer of security, and actually prefer it. The only exception is when the site/service only allows SMS or email delivery, and won’t let me use an auth app.

I don’t think that the problem is 2FA itself so much as poor UX on existing systems.

Let’s say that I have a little USB keychain dongle in my pocket with an “approve” button and a tiny screen. When I sign in, at the time that I plug my password in, I plug the dongle in. It shows the information for whom I am approving authentication. I push the “approve” button.

It’s got a trusted display (unlike a smartcard, so that a point-of-sale system can’t claim that I’m approving something other than what I am).

It can store multiple keys, and I basically use it for any credentials that I don’t mind carrying with myself.

I then keep another, “higher security” dongle at home with more-sensitive keys.

Does that add some overhead relative to just entering my password? Yeah. But is it a big deal? No. And it makes it a lot harder for someone to swipe credentials.

I agree that using phone-linked SMS 2FA authentication is problematic (for a number of reasons, not just because it locks you to a phone, but because there are also privacy implications there).

As a game designer, I would prefer my security be maintained through an elaborate series of puzzles.

There’s literally nothing wrong with enforcing TOTP over just a password.

The better alternatives are worse though. Key based authentication would allow you to effectively authenticate a trusted account on a trusted device with a single action, but requires you to not lose your keys, or to have a multifactor fallback. This is what I want tbh - I tap my yubikey when I set up my phone, and now it doesn’t require passwords. For extra security, require tap on boot.

Its literally meant to protect by needing another code that isn’t just “Password1!”