currently i use username + password + 2FA(totp or keys or recovery codes) to safe guard my account.
however, even i am brave to remove SMS as 2FA from my accounts,
even google still list my SMS as “recovery phone”.
indeed who dare to completely remove any phone number from the account?
and, if you ALLOW keeping the phone number as 2FA or recovery,
then your whole setup is as weak as the SMS 2FA…
making authenicators, yubikeys etc worthless.
but who do dare to remove every phone number from all accounts?
But don’t forget, that by using e.g. your YubiKey, in that moment, you almost can’t get phished. So that is not completely worthless, but a security gain. Your credential not getting leaked by that is a security gain.
But, of course, again, the weakest link doesn’t go away. Malware doesn’t go away. etc.
Security is not 0% vs 100%.
PS: I am “eager” to remove all weak 2FA… For me it is not a question of “do I dare” (because I dare), but “which account does allow it?”
PPS: To the “do I dare”: most accounts are still tied to an email address. Having that, and as you mention, recovery/backup codes, and storing all - and even having backups for that, should be enough I think…
I think you are asking for an answer that can’t be generalized to everybody in all situations since it would depend on your accounts’ security options, and your needs between accessibility and security. The rule “enable your only strongest 2FA and disable the rest” is a rule of thumb with exceptions; I personally don’t think you need to go head over heal about it if you know what the implications are.
For examples:
Google apparently makes your Android phone as a recovery phone regardless if you put the phone number in your account or not, just because they know it. This seems to be true for my non-high security account.
I have a Duo push account with the alternative of SMS/phone 2FA because otherwise there is no immediate backup, not even recovery codes. You can obviously use other phone numbers besides your main one to reduce the risk.
You have accounts that you want your service providers to reach you however they can.
Yes, and I think that is a good rule - but we shouldn’t forget, that there is another “rule”… discussing the pros and cons of the different 2FA methods is really important, but as I “hear” it, most security experts say then also “even the weakest kind of 2FA is still better than no 2FA” (in the sense of "even the weakest, not very secure method, is still an additional “hurdle”).
