Bingo. The support cost of MFA, especially non-SMS methods where some of the recovery process is delegated to the mobile operator, is the top-level bit.
It’s frustrating to see technical people discount or ignore that side of the deployment work, because that’s the kind of issue that actually blocks most security and cryptography measures in practice.
If I had a thousand dollars for every time I heard “just make the user keep a key safe” I could fund so much UX research :)
Google Authenticator AFAIK doesn't even let you backup the codes. When your phone is lost or breaks, you have to reset every account by some other way.
Use Authy, 2faone or any other totp tool than google authenticator. Shame on Google, honestly, for not enabling a backup mechanism for that. If you can’t do it right, don’t do it at all.
It’s frustrating to see technical people discount or ignore that side of the deployment work, because that’s the kind of issue that actually blocks most security and cryptography measures in practice.
If I had a thousand dollars for every time I heard “just make the user keep a key safe” I could fund so much UX research :)