It’s a circus out there…
One of my financial institutions supports yubikeys, but does not have the option to turn off sms 2fa. A chain is as strong as the weakest link, as usual.
Another only has sms 2fa and bizarrely allows me to specify any phone number at login time to receive the code. WTF?
Most only have 2fa via sms. When you talk about using an authenticator app people bitch and moan because they have to cut and paste those digits into the login page. Oh, the humanity…
Don’t even get me started on sites with “roll your own” schemes, like forcing you to install their app (which requires all permissions under the sun) just to accept a push message and allow you to login on their website.
Don’t forget quicksand… I spent all my childhood afraid of falling into it. Somehow it was an unwarranted concern.