alt Hacker NewsMy personal 2FA favorite is OTP + authenticator app. It behaves predictably and doesn’t have weird failure conditions.
SMS 2FA tied to your mobile number sucks if it doesn’t support Google Voice, especially when traveling internationally and your SIM card isn’t in your phone.
Email 2FA usually works, but I just find it annoying.
App-specific push notifications mostly work, but it’s hard to debug if you don’t get the notification. For example, I recently bought a new phone and all of my apps were reinstalled when I restored from a cloud backup. For some reason app notifications didn’t work until I uninstalled & reinstalled the apps. And reinstalling the apps was a bit confusing because some of the apps were not available in the app store based on my physical location in a different country at the time.
Replies
I hate email 2FA because I purposely don't have email on my phone. Unless I'm in front of my computer, I'm unable to log in to websites that use email 2FA.
TOTP isn't phishing-resistant, which is the whole ballgame. I've had the job of working on authentication for highly-targeted mass-market systems, and code-generators basically don't work: they raise the bar on phishing attacks to a level phishers still easily meet.