> Note: if you’re a developer and your users have gmail accounts, an authenticator code is NOT a 2nd factor, if that user is using Google Authenticator.

So many people and developers do not understand two factor authentication. If the necessary information is automatically sync'd to another device, you likely don't have two factor auth.

Example: If you log in from a Macbook, and the second auth is sent to your phone, Apple will helpfully forward that code to the Macbook, completely removing the second factor.

There’s threats and there are threats. Second factors largely exist to prevent password stuffing from password reuse. Even if the second factor is the same device as the device where you are initiating a login this works just fine.

If your goal is to stay safe even after one of your devices is owned then you’ve got a rarer (and way more difficult) threat model.

It doesn’t work because people don’t understand it. They understand they are getting harassed all the time and in a state of terror because you might get locked out from your accounts because you lost a device or because something went wrong with your relationship with Apple, Google, Microsoft and other large unaccountable vendors —- something you may or may not get an explanation of.

Since you’re getting harassed all the time and dealing with opaque rules it is no wonder people are fatigued, make mistakes, are inclined to panic when they get a scary call and hand over the keys, etc.

To add to that, having anything to do with crypto is to put a big target on your back and make yourself vulnerable.

Two factor usually means "something you have + something you know". So your MacBook + your password is two factors.

I've seen references to "three factor" auth which is often a push notification to a phone, and then there's more secure second factors, like yubikeys or code-protected passkeys.

MFA is a cargo cult these days.