Two factor authentication is nothing more than a massive vulnerability. We've seen people somehow change our listed contact numbers through unknown exploits, then hijack ownership of properties using the new number to prove they are us. This wouldn't be possible if not for 2nd factor authorization schemes.
Only for 2-factor schemes that rely on your phone number. Those are horribly insecure, there's a reason NIST and pretty much all security experts recommend against using them.
SMS authentication was created as a cheap hack to get around needing SecurID tokens, and should have been abandoned when ToTP (Google Authenticator and the like) became possible.
I agree with you completely that those are totally insecure. However, 2nd factor as a dictionary vernacular term has become synonymous in the press with a telephone number and some sort of texting scheme. Before this there was little incentive to hijack phone numbers. No longer is that the case.
Having a phone number is not secure in any way, proves nothing, and offloading security onto a totally insecure system such as the possession of phone numbers was a massive cop out and completely irresponsible.
Maybe as you say there are 2nd factor schemes that don't use phone numbers but it hardly matters since the term 2nd factor has unfortunately come to mean phone numbers in the vernacular.
> 2nd factor as a dictionary vernacular term has become synonymous in the press with a telephone number and some sort of texting scheme
I don't think that's true. Both my bank issues hardware tokens for challenge response type authentications, these are widely in use and understood to be 2fa, the same goes for many other services.
It's a typical case of all cows are animals but not all animals are cows, I've yet to see the press categorically making that kind of mistake for 2fa, though I'm sure there will be some offenders on the whole people - and the press - seem to know the difference. And it's up to us to correct these things where and when we see them so if you do spot an article that incorrectly labels SMS as the one true 2fa then you should mail the author or the editor to get them to correct the record pointing out that they are perpetrating a fallacy that could cause their readers to be at risk.
This is not as far as I can see a lost battle - yet.
The biggest issue today is password reuse, and 2FA does help mitigate the liabilities of that. Is it perfect? No. Does it introduce more attack surface? Yes. But for the average user, it almost certainly increases their opsec.
Not just that, it's a bad solution to the problem it's attempting to solve. (What if your password manager gets compromised?) To have that problem, someone must both have your password manager database and the master password and/or keys to unlock it. Since you need your password manager on your phone, the assumption that having your phone somehow provides an additional factor over having your password manager is just plain wrong from the beginning. 2FA as implemented isn't even a second factor.
And, as others have mentioned, it increases the likelihood of getting locked out of your accounts (if you don't have your phone with you or the battery died or whatever). Which encourages service providers to make account recovery easier (it needs to be easier if people are more likely to get locked out.) And making account recovery easier makes it easier for other people to 'recover' your account.
3rd-party authentication (other people vouching that you are who you say you are) might be better, but would have its own problems.
In the end, the real solution to the problem of 'what if your password manager gets compromised?' is to minimize that possibility by _not_ having it online, having really strong master password and/or keys, and avoiding malware. 2FA doesn't help with that at all. It just adds its own problems.
