> You can scrape email/sms for codes automatically
IF they arrive right away, which isn't guaranteed for either method
Also, do you seriously suggest every single user to set up some kind of x-platform scraping service (how would you scrape an SMS code to a computer's clipboard)???
"user hostile" means that you impose a cost on users without consent and in many cases without benefit
> I don't use password authentication alone unless it's literally my only option.
That's fine, but this isn't a conversation about you. I'm fine with a high-entropy auto-generated password for a huge bunch of services
Reading passwords from SMS is already in Android and iOS, passwords from emails is in iOS (with mail). For that matter, there is no reason TOTP codes can’t be autofilled along with your username/password. The tooling around this stuff keeps getting better and more widespread because it’s getting more prevalent.
>How would you scrape an SMS code to a computer’s clipboard
There’s no technical reason this same idea can’t work with every OS.
>impose a cost on users without consent
We have 1.3 million people who had their personal information leaked by an anti-Semite. More people are impacted by the breach in privacy than just the people who reused their passwords. The level of security was not appropriate to the context. Forcing costs on users can be good when said users are handling sensitive PII.
IF they arrive right away, which isn't guaranteed for either method Also, do you seriously suggest every single user to set up some kind of x-platform scraping service (how would you scrape an SMS code to a computer's clipboard)???
"user hostile" means that you impose a cost on users without consent and in many cases without benefit
> I don't use password authentication alone unless it's literally my only option.
That's fine, but this isn't a conversation about you. I'm fine with a high-entropy auto-generated password for a huge bunch of services