1b) Offer non-electronic second factors such as paper codes
2) Offer a broad range of options in general, not just phone or even worse only SMS. I can count the services that I can use my Yubikeys with on one hand
3) Be predictable (or at least be configurable like that) by the user and not behave different on weird conditions such as your IP
4) Allow to configure more than just 2 factors. 2 factors are really bad. It should usually be 1 or 3+.
5) It should educate properly about how to use it and also about the risks (e.g. increased change of losing access, especially when certain factors are used)
I think that when identity proofing actually becomes important, we should fully leave private services. That is something too important, so the state should either standardize and enforce it or offer it. Maybe, offering a wide-scale MFA / Auth solution should come with similar restrictions that we have for finance, including the identity proofing fallback your mentioned.
1a) be possible to be disabled or
1b) Offer non-electronic second factors such as paper codes
2) Offer a broad range of options in general, not just phone or even worse only SMS. I can count the services that I can use my Yubikeys with on one hand
3) Be predictable (or at least be configurable like that) by the user and not behave different on weird conditions such as your IP
4) Allow to configure more than just 2 factors. 2 factors are really bad. It should usually be 1 or 3+.
5) It should educate properly about how to use it and also about the risks (e.g. increased change of losing access, especially when certain factors are used)
I think that when identity proofing actually becomes important, we should fully leave private services. That is something too important, so the state should either standardize and enforce it or offer it. Maybe, offering a wide-scale MFA / Auth solution should come with similar restrictions that we have for finance, including the identity proofing fallback your mentioned.