What gets me about 2-factor auth is that the level of extra security you get isn’t higher than the level of pain in the ass it requires.
You’re more than doubling the pain in the ass. The only account I have 2-factor on is my bank account. Now, in order to check my balance, I have to have my phone on me, I have to wait for a phone call, I have to type in a code from my computer onto the phone. The reception at my house isn’t the greatest, so there have been times that I didn’t receive the call at all. This made paying bills an adventure right before work. More the double the pain in the ass.
And in exchange, I’m getting what is hopefully a slightly more secure bank account. In theory, it’s harder for someone else to log in as me (just as it’s harder for me to log in as me). But… the bigger worry is that with every bit of infrastructure that the bank implements to make this happen, there is more room for more possible bugs. If we assume that their setup is perfect, then it makes everything more secure. I get that. It’s unlikely (though not impossible) that a criminal would have access to both my phone and my computer. It’s unlikely that they would find a bug in both my phone and my computer, to exploit this with. But that’s assuming that the setup is perfect, and one consistent thing in computer security (and computer programming, and really any sort of engineering) is that nothing is ever perfect. So, the exact implementation of 2 factor is now suspect, and it could be an additional vector to get into my account that wasn’t there before.
So I actually intentionally avoid 2 factor auth. Make a more secure single factor and I’m all for it, but this just seems like a bad idea to try to account for and patch over previous bad ideas.