> But what really gets on my nerves is when websites don't even offer better 2FA options like software tokens and hardware tokens to power users.
The number of users on most B2C businesses who want this and would use this as a differentiator when choosing a product would be minuscule.
How do you recover your account if you lose the 2FA device? If the service offers email or SMS recovery then it’s not any better than SMS 2FA.
As a regular “power user” consumer all you should need to do is use a randomised password generator and password manager, not reuse passwords and use 2FA if a available.
> How do you recover your account if you lose the 2FA device?
All TOTP apps provide backup codes and export options. Store them in my password manager. If my phone gets stolen, I just import them into the new device.
> If the service offers email or SMS recovery then it’s not any better than SMS 2FA.
I've explained this in another reply. Briefly, in some countries, losing SMS-based 2FA is much more of a hassle than losing device-based 2FA because of government and private bureaucratic hurdles.
> all you should need to do is use a randomised password generator and password manager
No complaints there. Unfortunately, my bank forces me to use 2FA and, worse, forces me to use SMS 2FA.
The number of users on most B2C businesses who want this and would use this as a differentiator when choosing a product would be minuscule.
How do you recover your account if you lose the 2FA device? If the service offers email or SMS recovery then it’s not any better than SMS 2FA.
As a regular “power user” consumer all you should need to do is use a randomised password generator and password manager, not reuse passwords and use 2FA if a available.