If we want real 2FA, then we need to insist on client side TLS certificate support. So a device with the private key, client-side TLS cert can connect, and then the account holder enters the username password credentials to log in.
If you don't have the client-side TLS certificate, then you cannot log into the account. The account holder should take responsibility in adding more devices with their own private key/client-side TLS cert associated with the account in case they lose access to one of their devices.
SMS, email, and OTP based 2FA offer a false sense of security at best.
If you don't have the client-side TLS certificate, then you cannot log into the account. The account holder should take responsibility in adding more devices with their own private key/client-side TLS cert associated with the account in case they lose access to one of their devices.
SMS, email, and OTP based 2FA offer a false sense of security at best.