On the contrary - perfect security is only possible if your system is an inert rock. Or not even then, as the users could still use the rock "wrong" by beating security maximalists over their heads with it.

Also honestly TIL that TOTP are somehow supposed to also enforce a single copy of the backing token being in existence. That's not just bad UX, that feels closer to security overreach.

People in tech, especially software and security folks, tend to miss the fact that most websites with 2FA already put a heavier security burden on their users than anything else in real life. There's generally no other situation in peoples' lives that would require you to safely store for years a document that cannot be recovered or replaced when destroyed[0]. 2FA backup codes have much stricter security standard than any government ID!

And then security people are surprised there's so much pushback on passkeys.

--

[0] - The problem really manifest when you add lack of any kind of customer support willing to or capable of resolving account access issues.

This is how we get sites that block software tokens and only allow a whitelist of hardware based tokens.

I can chuck a brick at your head. Clearly the brick is broken

There is no system which cannot be used wrongly in a way which undermines it’s security.

I mean, TOTP is one of the earliest 2 factor systems, and works least well.