2FA (including U2F and whatever else) has one big problem that this article fails to mention. And when 2FA is suggested, this really should be said explicitly.
Users aren't warned enough about the fact that everything fails, and they will have to go through 2FA deactivation/account recovery process sooner or later. They must be really reminded to DO BACK UP the recovery code(s). With "back up" as in "keep not just somewhere, but where you can actually find it, when you'll need it". (But not in your password manager)
This is true for SMS 2FA as well, but completely losing the number (as long as one's a paying customer) must be significantly less common than losing a device.
This is what somehow doesn't get mentioned as much as security. It's a tradeoff between not getting hacked, not getting locked out by accident, and convenience. If you get locked out of Gmail, you're up the creek. Google won't help. It's just gone forever.
Having 2 factors increases the chance that you'll lock yourself out. If you've got two, then you really need 4:
1) Password
2) 2FA
3) Backup codes for when you lose the 2FA device/number
4) Phone number or email address for password recovery when you forget your password. Not the same number as 2 of course.
So true! We have thousands of employees at our company using GitHub.com, and every week someone loses access to their account permanently. Why? They never bothered to store the original recovery codes for the account.
Users aren't warned enough about the fact that everything fails, and they will have to go through 2FA deactivation/account recovery process sooner or later. They must be really reminded to DO BACK UP the recovery code(s). With "back up" as in "keep not just somewhere, but where you can actually find it, when you'll need it". (But not in your password manager)
This is true for SMS 2FA as well, but completely losing the number (as long as one's a paying customer) must be significantly less common than losing a device.