I’ve been going through updating all of my accounts (passwords, 2FA, etc.), and I’ve noticed that there are a lot of sites that don’t offer any form of MFA.
I can understand smaller services that might not have the bandwidth, but surely larger organisations are able to get this setup?
I was going to mention the support aspect. I believe some TOTP 2FA applications have automatic online backups by default but some don’t and require users to make their own backups. I can only imagine how challenging it would be to deal with users who have locked themselves out of their account due to their 2FA setup.
I had to go through that with itch.io a while back and had to verify my most recent purchases to recover my account. It was nice I was able to get it back but that in itself could be a security concern.