To be fair, most of the issues resulting from forcing password recycling were that people made password systems, incrementing numbers, using the months of the year, etc.
I don't know of any, and I suspect there may not have been any, widely used consumer facing systems running around those lines.
I suspect most of the problems can be mitigated in a scenario where the use gets a new password, rather than getting to create a new password.
But yeah u2f 2fa is an absolute basic limit for serious services these days (pretty much anything else is subject to phishing).
I don't know of any, and I suspect there may not have been any, widely used consumer facing systems running around those lines.
I suspect most of the problems can be mitigated in a scenario where the use gets a new password, rather than getting to create a new password.
But yeah u2f 2fa is an absolute basic limit for serious services these days (pretty much anything else is subject to phishing).