[quotemsg=21202914,0,746346][quotemsg=21199524,0,894122]For one, and this is a BIG one:
Many, if not most, people are (at least occasionally, if not) regularly accessing the accounts in question on their smartphone these days.
So if your "Second Factor Authentication" is also on your phone...
Well, it's not really second factor at all in the first place, is it?
Even if it was theoretically secured by a pin, that has always been pretty weak, and likely not at all cryptographically secure.
Modern hardware keys are really the only way to handle 2FA anymore:
They are easily carried;
In a generally separate location (who really physically ties their wallet or keys to their smartphone anymore?... if so, they should really learn better in this day and age);
Can easily communicate wirelessly with most available smartphones and devices (even apple, as of a year ago, the one stalwart against standardization.);
Can use standard USB protocol to communicate with just about any wired device known to man;
Can not (in knowledge) be emulated, only physical control of the key can duplicate the signed response, whereas anyone with an appropriate screencap can duplicate your authenticator (or any Time-based One-Time Password algorithm [TOTP] response.)[/quotemsg]
By those standards, nothing is secure as anything can be stolen. It's a massive hurdle to get past to gain screen capture and key logging control over a smart phone. You'd basically have to steal the specific one and return it to the owner unnoticed. Sure, that's easy in Tom Cruise movies but not so much in real life. No security is perfect, but 2FA is infinitely safer than a plain password.[/quotemsg]
Dead wrong, nearly all compromised accounts these days come from Phishing attacks, and 2FA does nothing to prevent phishing. Its really not much more difficult than obtaining a username and password, full stop.
Edit: 2FA using a code generated by any means, app on the phone, sms, or email. Physical 2FA keys on the other hand work really well.
Facebook
Twitter
Instagram