So you also can possibly enjoy having 2FA demolish by a simple smartphones vulnerabilities that perhaps grab both passwords and token in a single action...
Can you point to any instances where that's actually happened? Yes, sure, it's theoretically possible for someone to break into my fully patched phone and steal my 2FA secrets. But it's also theoretically possible for a mobster to break into my house, hold a gun to my head, and force me to log in to all of my banks accounts so that he or she can drain the money from them.
There is no such thing as perfect security, and I would much rather have people using a 2FA app on their phone than just username/password. Is it perfect? No, of course not. But insisting that the existence of phone vulnerabilities makes 2FA apps on phone unacceptable, and that the only form of acceptable security is for people to juggle dozens of authenticator tokens is making the perfect the enemy of the good. It's because of "advice" like this that people ignore armchair security experts.
Does you credit card ever lock you out? For most people no it's not happen, for Julian Assange we know it happen. Does we have an nuclear warhead explode by accident?
A dangerous thing remain dangerous even before accidents happen.
Can you point to any instances where that's actually happened? Yes, sure, it's theoretically possible for someone to break into my fully patched phone and steal my 2FA secrets. But it's also theoretically possible for a mobster to break into my house, hold a gun to my head, and force me to log in to all of my banks accounts so that he or she can drain the money from them.
There is no such thing as perfect security, and I would much rather have people using a 2FA app on their phone than just username/password. Is it perfect? No, of course not. But insisting that the existence of phone vulnerabilities makes 2FA apps on phone unacceptable, and that the only form of acceptable security is for people to juggle dozens of authenticator tokens is making the perfect the enemy of the good. It's because of "advice" like this that people ignore armchair security experts.