> And even if proper passwords are used, many sites/apps use this pattern for account recovery if the password is forgotten so effectively this is the only security as an attacker has “forgotten” the password and just uses this flow to login.

Why is NOONE talking about this? This is exactly why 2FA is less secure than password authentication, because with a password authentication, the attacker actually has to be able to capture the password in some way, whereas with 2FA, effectively anyone anywhere with the skills akin to the most junior private investigator, has the capability and tools to take over anyone's account "protected" by 2FA.

Yet we're still being told that 2FA is mandatory because security is important, and that somehow 2FA is still more secure.