All of the points being made here and the undeniable fact that 2FA is less accessible than not having 2FA are valid reasons to critique the widespread implementation of 2FA - particularly when it's made a new requirement with little warning or education for people using those systems.

At the same time, systems aren't implementing 2FA for no reason, and the article doesn't mention the security reasons at all, just that 2FA is a kind of security. That first example in this chain - someone who is not the owner of the account trying and failing to log into a system containing valuable health and billing info because they do not have access to the second factor of authentication - is 2FA working as intended. It's inconvenient, financially burdensome, and outright aggravating in that instance, yes. But it's doing its job.

Credential stuffing attacks simply do not work when 2FA is involved. Those massive data breaches dumping millions of usernames and passwords onto the net go from catastrophic for the affected accounts to merely inconvenient as people who can log in - because they have the second factor - change their password.

Again, I don't mean to downplay how 2FA can prevent well-meaning individuals from aiding friends and family members or how it can be yet another barrier for disabled individuals trying to access certain services. However, websites guarding your information - PHI, financial info, etc. - need to be confident that the person accessing the account is A) who they say they are and B) authorized to access the account. 2FA is one way a site can check off point A. Username and password pairs just aren't enough anymore. Wondering why? Just ask haveibeenpwned and every major data breach in the last few years.

(As an aside, you may have noticed that security questions have also generally gone the way of the dinosaur. This is because the answers tend to be from a limited pool and otherwise easy to guess with information that's available with just a bit of digging.)

No matter what we do, at the current technological moment, security and accessibility are largely a zero-sum game. New developments with webauthn and public-key cryptography show promise for reducing some of the tradeoff, but the tradeoff will still be there. Not everyone can have a cell phone. Not everyone can have an email. Not everyone can keep track of a little usb stick that generates codes every now and then.

2FA isn't going away anytime soon and, unless a 2FA implementation is so horrible it impacts everyone's ability to access the service, it's unlikely to be rolled back. Don't let that stop you from continuing to talk about your frustrations with 2FA. Highlight specific pain points in the process that present difficulties for you. Write them down, make them public, so developers involved in implementing those systems can make them as painless and accessible as possible.

resharing this oldie because i just got a new laptop and the number of times i am being required to login to things, login to a DIFFERENT app/program/password manager/authenticator, provide a number, and then login again is making me fucking INSANE