You can scrape email/sms for codes automatically and add them to the clipboard or autofill, and what does user hostile even mean? User hostile is losing all of a users data because you were more concerned with customers liking how easy your service is to use than you were about ensuring your service didn't hurt them.
You can do better than email/sms, especially sms, but they're transitionary technologies. I login to way more things than most people do way more often. I don't use password authentication alone unless it's literally my only option.
> You can scrape email/sms for codes automatically
IF they arrive right away, which isn't guaranteed for either method
Also, do you seriously suggest every single user to set up some kind of x-platform scraping service (how would you scrape an SMS code to a computer's clipboard)???
"user hostile" means that you impose a cost on users without consent and in many cases without benefit
> I don't use password authentication alone unless it's literally my only option.
That's fine, but this isn't a conversation about you. I'm fine with a high-entropy auto-generated password for a huge bunch of services
Reading passwords from SMS is already in Android and iOS, passwords from emails is in iOS (with mail). For that matter, there is no reason TOTP codes can’t be autofilled along with your username/password. The tooling around this stuff keeps getting better and more widespread because it’s getting more prevalent.
>How would you scrape an SMS code to a computer’s clipboard
There’s no technical reason this same idea can’t work with every OS.
>impose a cost on users without consent
We have 1.3 million people who had their personal information leaked by an anti-Semite. More people are impacted by the breach in privacy than just the people who reused their passwords. The level of security was not appropriate to the context. Forcing costs on users can be good when said users are handling sensitive PII.
You can do better than email/sms, especially sms, but they're transitionary technologies. I login to way more things than most people do way more often. I don't use password authentication alone unless it's literally my only option.