2FA is a step backwards, at least in the way most services implement it where you totally depend on a phone (I know there are other ways to do 2FA).
I know that passwords are insecure (or at least, most people's passwords are) but I'd rather have that than tying all my identity to a phone.
Since I started using the internet in the 90s I haven't ever had any password-related incident that I know of. Now I have a constant fear of my phone being lost or stolen. I do have an export of the authenticator files, but what if it fails, or if the phone thief starts doing bad stuff since some services are going so crazy with 2FA that they relax the rest of their security? (I have seen Yahoo mail sometimes not asking for password at all, just some SMS code).
I only use 2FA where it's mandatory (unfortunately, more and more services) and I wish it were forbidden to make it mandatory, at least in this form where you totally depend on a phone.
I'm pretty old. I've been using computers for a long time, when it was still just something a selected few would do and when it certainly wasn't common that everybody had "a PC" at home. Forget internet.
I've made CS my profession also many, many years ago, certainly before mobile phones (I'm talking _any_ kind of mobile phone, not smart phones in particular) were a thing.
I'm setting all of this context up just for the following mini rant: eternal september is a thing. With all IT now tailored to the unwashed masses, some things had to give. Like, as you say, "most people's passwords" are insecure, but they can also be made very secure without too much effort. The tech-savvy folks are aware of that but the moms aren't - so now _everyone_ (including us who wouldn't really need it) have to deal with nuisances like 2FA.
Computers used to be tools for professionals, now they're basically household appliances. It's a net win, I would say, because life has improved for society as a whole. But something got lost along the way, too.
I really like the MFA implementation in 1Password. You can even have it autofill from the browser plug-in so you don't need to go find your phone whenever you need to log in to AWS or whatever.
I know that passwords are insecure (or at least, most people's passwords are) but I'd rather have that than tying all my identity to a phone.
Since I started using the internet in the 90s I haven't ever had any password-related incident that I know of. Now I have a constant fear of my phone being lost or stolen. I do have an export of the authenticator files, but what if it fails, or if the phone thief starts doing bad stuff since some services are going so crazy with 2FA that they relax the rest of their security? (I have seen Yahoo mail sometimes not asking for password at all, just some SMS code).
I only use 2FA where it's mandatory (unfortunately, more and more services) and I wish it were forbidden to make it mandatory, at least in this form where you totally depend on a phone.