2FA should be a requirement on everything now. And if your site can't for some reason or you don't want to deal with it, then limit your site to external login providers only.
2FA, especially app based, has been proven to work really really well.
It does not.
There are myriad ways of extracting the TOTP seed from these apps... Or you just reverse engineer the setup/confirmation process and then you can generate/trigger your own tokens from your automation workflow.
2FA is a good security feature but it does not help against web scraping. Credential stuffing and other 3rd party attacks? Yes, it _can_ help. But it does not always help. There's a phishing group that has seemingly specialised on getting people to click the green confirm button in their Duo app... ¯\_(ツ)_/¯
Check https://github.com/revalo/duo-bypass for a python script that can be used to automate Duo tokens... Has some code from me. There are similar scripts for all the other well known OTP Apps...
Having malware installed on every users phone is so many orders of magnitude harder than downloading the latest db dump and testing the email/password on every other site.
At the bare minimum, TFA stops most attacks. That's a whole lot better than the current situation.
There are different methods of 2FA like scanning encrypted barcodes that show that you require intent.
It seems that the Duo core app is a variant of HOTP?
What's the name of the phishing group and any details on them?
There was a Defcon or Black Hat video where they would constantly send a push approval to the mobile which was not PIN protected and most people would click on it. Don't remember which OTP generator it was.
How do you propose to implement two-factor authentication, on something like the public facing homepage of an airline ticket price search website, where if you make people "sign in with google" or whatever, a sizeable proportion won't do it and will just go to the competition?
thats great till you're in a foreign country and your phone suddnely decides to die leaving you stranded and unable to access bank accounts or prove your identity. (happened to me)
2FA isn't limited to one device, or specific 2FA mobile apps. For example I use oathtool for most 2FA things; you just need to store the secret (often in the form of a QR code, but many services will also offer a text version, and if not you can decode the QR).
100% reliance on a phone which is easily lost, broken, stolen, etc. without backup is really bad IMO. My bank (Revolut) only had a mobile app, and no way to contact them outside of it (I tried...) I need to switch banks.
Revolut now has a web app [1], which still tries to get you to log in via the mobile app but this is not necessary. So long as you know your pass code and have alternative access to your email then you can log in and do most of the things you can do via the app. You do have to wait 10 seconds for the privilege though (before allowing access via email there is a timer before you can confirm you do not have access to the mobile app.).
That sounds like a bad planning problem in which you shouldn't have left yourself vulnerable to loss of electronic services. Not a tech issue that justifies intrusive spyware.
2FA, especially app based, has been proven to work really really well.