Yeah, Google, GitHub, Facebook.
But my bank doesn‘t. My insurance companies don‘t. My broker doesn‘t. It‘s all very sad.
Disappointingly, my (former) bank, insurance, and broker companies only supported "2"FA via SMS, which is even worse--in my opinion--than not supporting anything at all because it gives a false sense of security. My bank and my mobile phone provider would both allow me to completely reset my credentials using solely a verification via SMS, so anyone who hijacked my phone number could steal from me.
Even more obnoxiously, lots of businesses don't accept "VoIP" SMS numbers because they are deemed "insecure," even though my VoIP numbers are hardened behind much better account security than anything my mobile provider offers.
Admittedly, the chat bot is a hobby project so I was only looking for a couple of weeks in my spare time, maybe I “looked wrong” but everything I found was focusing on clients and rarely on servers.
You do need to go into this either understanding what's actually going on or open to just being told what to do rather than trying to plug it into a model you have from, say, using password authentication.
EDIT: apparently the OP meant SMS password reset without requiring the second factor, not SMS 2FA. Of course that's terrible.
If I want to compromise your account, I force fallback and then compromise your SMS. Security is as strong as the weakest link.
It's more like you have a deadbolt and a regular lock. Sure, you can open the regular lock with just a credit card, but that doesn't help you with the deadbolt...
Sure - Google, Github, Fastmail. But nothing financial. Not even the more startupy stuff like TransferWise and Revolut. Fastmail forced me to enable SMS 2FA to use U2F, which I suspect is actually worse than not using 2FA.
Also, a inherent problem: I would really like to keep a backup key in a galaxy far, far away in case my house catches fire, but I cannot enable a key if I do not have it at hand.
This was years ago, so YMMV.
It's a real UX issue, the average person just can't back up their TOTP codes at all. Hell, I have a Yubikey as a backup and enroll the TOTP code to both places, and to the Yubikey as U2F.
To use my own insight: regular joe does not want to buy an expensive product and install some hardware. (the "cheap" $20 ones are literally worse than useless. but even $20 is too much.) 2FA's future is in touchID (integrated into touch bar on mac) and push to a phone app. The latency of push to a phone app is more acceptable than the confusion and vagary around adding an expensive usb key that you don't understand and then doesn't work on your mobile anyway.
> 2FA's future is in touchID (integrated into touch bar on mac) and push to a phone app.
As another person pointed out, this is quite literally what krypt.co's Krypton app does and it integrates with existing U2F/FIDO standards so either a hard or soft device can be used.
I don't want Bluetooth, NFC or software u2f devices for security reasons, but I also think they could each have additional support problems if given to family members.
The ideal option for me would be an applet on a smartcard in my phone's 2nd sim bay and a hard power toggle for the 2nd bay. Then I suppose my phone could also provide proxying of u2f as a USB device.
But last I looked Android was blocking access to simcard slots for general purpose..
it's awkward enough for desktop use that push to mobile is a superior UX