I’d be curious to know which services are confirmed to have solid 2FA reset practices (i.e., you can do it if you lose your keys; no one else can do it).
These would probably be smaller businesses that earn their revenue directly from paying customers (and would lose if you give up and cancel your card/block their transactions)—I can’t imagine this ever working for ad-driven whales like Google or Facebook, or large corporations to whom you’re small fish and need them more than they need you.
Also, it’ll be interesting to see how 2FA reset options evolve in near future. A 24-hour slot to reset only 2FA, for example, looks like a valid attack vector. Also, I suspect deepfaking videocalls won’t be out of reach of a dedicated but average attacker for long.
> I can’t imagine this ever working for ad-driven whales like Google
Google was one of those that offers account recovery[1], but has it fully automated. I did not need it, because Google urged strongly to create backup tokens. I had those in my encrypted backup.
Focusing too much on what can go wrong is unproductive. I could also steal your iPhone, or force you to reveal a 2fa token using the Rubber Tube Decryption method.
There is no such thing as 100% security. And certainly not if it needs to be balanced against some real-world-ease such as "recovering after you dropped your iPhone in the toilet".
The 24hour recovery slot was at my cloud VPS service from which I got a bazillion warning mails. "your 2fa will be disabled in 48 hours, did you not initialize this, click here to ...".
The least secure was at my bookkeeper's online portal, where I could call them over the phone, offer some simple verification and have 2fa disabled. That does not remove my trust in them, because 1) it is an account that needs less security than e.g. my AWS account, and 2) they do know me personally and I them. It actually makes me trust them more because I know they are there for me when I need them.
These would probably be smaller businesses that earn their revenue directly from paying customers (and would lose if you give up and cancel your card/block their transactions)—I can’t imagine this ever working for ad-driven whales like Google or Facebook, or large corporations to whom you’re small fish and need them more than they need you.
Also, it’ll be interesting to see how 2FA reset options evolve in near future. A 24-hour slot to reset only 2FA, for example, looks like a valid attack vector. Also, I suspect deepfaking videocalls won’t be out of reach of a dedicated but average attacker for long.