Because user aversion to 2FA is often rational. The expected cost of learning how to use 2FA plus risking losing access to your account and not being able to get it back through support is often higher than the cost of having your account compromised.
The account recovery process should be setup at the start of the 2FA setup - e.g., you get emailed a bunch of backup codes (easiest way imho).
The site should not be using their own 2FA app, but use a standard OTP implementation, and let the user use their own OTP app (most people default to google's authy, but there's a couple out there that are common too).
Or, as an alternative, delegate the login to email and use a password-less login mechanism (effectively delegating the account security to the email's security). I argue this is actually more convenient, but some people (esp. young people?) have an aversion to email which i don't understand.
“I argue this is actually more convenient, but some people (esp. young people?) have an aversion to email which i don't understand.”
Uhaul does this and it’s maybe the only good I can say about Uhaul. I think the catch is that some people don’t use email (or much of anything) on their mobile phones. Most will get sms immediately wherever they are at. Not everyone uses email that way.
Emailing backup codes doesn't sound like a good idea. You give the keys to the kingdom to email provider or anyone who would be able to access your mailbox.
But that's only because companies, like google, offer no human support for lost accounts. Somehow I wonder if 100 years from now personal data will be handled by something like a bank. If you lose your password you call your personal data bank - which can get you back online or something like that.
Maybe that's the next big thing - local, personal companies that are your "online power of attorney" that have the right to reset your shit, make claims about your identity. I have no idea. But the current state of things is just a mess.
Maybe for some irrelevant social media site I can understand doing password-only auth because who cares, but this has your DNA on it. Even if the person who has all their personal information leak doesn't care, they fucked over their entire family. I guess that's not 23andMe's fault though because they were just satisfying a rational user aversion!
Not only that, but the aversion to using methods of logon other than passwords are less rooted in passwords being easy, and more in passwords being STANDARD. Passkeys for instance are faster to use than passwords. The ONLY thing that makes passwords "Easy" is peoples refusal to start using something better because of one-time switching costs and inertia.
Plastic cups and discarded napkins also have DNA on them, and yet most people are willing to leave those lying on the table in an airport food court. If an entire family gets "fucked over" by this leak, they're going to get...medically invasive spam?
Which is bad, obviously, but I think everyone is catastrophising it.
