He said he set up 2FA and then lost the "corporate device" providing it.
This is why you always set up backup codes. The 2FA is doing its job here keeping the account safe from someone who doesn't have the token, which unfortunately is the account holder.
Wow, didn't expect this post to blow up like this.
For reference, I have no 2FA, nor did I lose my corporate device. I've always accessed it through a web browser, never through a mobile, therefore when it asks me to verify with my corporate mobile device, I do not know what device it is referring to.
What options do they have now, if they abruptly stopped using that phone number for some reason 10 years ago and had no realistic way to know which 275 utilities were hitched to the number (or even if they did, couldn't contact support for reasons described in the article), for example:
- because they couldn't afford to pay the bills for a while
- or moved country
- or changed contract and then found they couldn't port the number (happened to me) and lost the old number
- or someone took their phone and they were unable in practice to recover the number or continue using it
- or they were ill in hospital for long enough their phone contract expired and they could not have dealt with transfer issues at the time
They don't remember, which is probably how they got themselves into this mess, which everyone else uses as an opportunity to share their Google hate and call for regulation.
This is why you always set up backup codes. The 2FA is doing its job here keeping the account safe from someone who doesn't have the token, which unfortunately is the account holder.