Also coming from NordPass, it was slightly different, but I liked it.
The way NordPass logged in when the device was New:
- Enter Email
- Enter 2FA (Code they would Email you)
- Enter 2FA (App Generated)
- Enter Master Password.
I feel this form and order of authentication does make it more secure, as the master password is not the first piece of information needed to verify identity/access.
I also like having multiple 2FA requirements in the off chance that one 2FA becomes compromised, the second one should catch the issue.
Nifty concept. Not a whole lot of benefit for an attacker to gain access to a newly created account, it would be empty. And for an attacker to attack the account in this manner would require an active attack at the time the account is created, before 2FA could be setup.
In BW’s case, there is also the issue that many forms of 2FA are paid features, which requires an account in the first place. Bootstrapping issue.
I do agree that optional 2FA setup at time of account creation is a good idea if you can keep it streamlined enough. The main concern with any 2FA is the UX around having a back up method to access.