The solution to that is to make the increasingly intrusive security processes an opt in, not to completely write off anyone who can't reliably keep a particular physical device on their person and working indefinitely.
> The solution to that is to make the increasingly intrusive security processes an opt in
Absolutely. A common phrase is "mechanism, not policy". The service providers should be enabling all kinds of mechanisms for account level security so users can pick what works best for them. They should absolutely not be imposing any kind of policy. That's where all the source of trouble comes from.
Only I know the threat models I care about for any particular account I have.
For some of them, preventing unauthorized access is the top priority and I'll enable geofencing, 2FA, hardware tokens.
For other accounts, availability is an absolute must and more important than anything else so for those I'll just have a strong password.
Only I can possibly know the correct answer, so for a service provider to come in an impose their policy on my requirements is fundamentally wrong.
> Only I know the threat models I care about for any particular account I have.
You are not neccesarily the person being negatively effective.
Email service providers are all about reputation so their stuff isn't marked as spam. When your account gets hacked and starts sending viagra ads, you are not the one who suffers the fall out.
There are lots of email providers out there with different policies. One of the reasons gmail is popular is because of these policies.
Gmail is already a well-known spammer. Loads of spam come from Google, I see it everyday, by far the biggest source of spam I see. Unfortunately, they're also so big, with so many legitimate users, that you can't block them wholesale if you're expecting to deal with the public, many of whom have a gmail address.
In that case I think it's fine to have a default security profile, and let people add or remove things as they see fit. On account creation, they could even present a questionnaire that determines whether the user values security or availability more, and set the security requirements accordingly.
It used to be opt in until the icloud hacking saga where the public demanded something be done. So it was decided users want mandatory security by default. Almost all of these services provide backup codes you can write down on paper as well.
Sure, some people are going to lose their only device and the bit of paper, but at that point if you have literally nothing to identify yourself with, it's going to be hard to provide a secure service to you.
It can still be opt out with a fallback on the old approach of security questions. The name of your first pet, your favorite teacher, etc.
It doesn't matter how much in general 2FA works out better for most people, there are lots of people for whom it is not viable. They know who they are. Give them an option that doesn't make their life worse.
OP knows who they are, but I would not be surprised if many poor/homeless users wouldn't realize they need to opt out of something until they find out the hard way when they're locked out and can't get back in.
That might help for a certain subset of people in this scenario, but there are also people with subtle mental conditions that, while capable of living productive lives, are also unable to deal with MFA. There are also the elderly and non tech-literate.
