What makes you think that this is unique case? What about people that suddenly come to fame, like viral video subjects?
A simple solution is to disallow logging in from new devices and the attempt being silently dropped so you are not bothered, unless you do some magic like generate one time key to complete the procedure on the new device.
I could think of a lot of people that would find it useful.
Or allow setting up 2FA token (other than mobile) correctly.
Instead what FB does is make it impossible to secure your account because they insist whatever you want you should always be able to recover your password with your phone number.
Years ago when I was still using it (I had reason) I tried to secure it with my Yubico. Unfortunately, it wasn't possible to configure FB to not allow you to log in on a new device without the key.
I understand how the discussion probably went: "Let's make it so that we can score some marketing points but let's not really make it requirement because we will be flooded with requests from people who do not understand they will never be able to log in if they loose the token."
But that's exactly what I want. I have a small fleet of these so it is not possible for me to loose them all but unfortunately most sites that purport to allowing 2FA can't do it well because they either don't allow configuring multiple tokens or if they do, they don't allow really lock your account so it is not possible to log in the next time without the token.
> unfortunately most sites that purport to allowing 2FA can't do it well because they either don't allow configuring multiple tokens or if they do, they don't allow really lock your account so it is not possible to log in the next time without the token.
This is a great point. AFAIK, Google is the only service which allows you to set mandatory U2F login requirements. Does any other service offer this functionality?
Many enterprise apps you can force it or depend on authentication from Google or Azure kind of SSO providers, who have this feature.
Consumer apps try hard not to do hard security unless they are forced to, usually for cost reasons.
Security measures like these create a ton of administrative tickets - check any sysad ticket queue a good chunk is password reset/recovery, in enterprise apps the org sysads are paid to handle this.
In consumer apps, the app company has to manage it, also it lot harder to verify identity of a random user than company employees making it harder to do this kind of support.
A good jarring example is AWS, the amazon.com and AWS did (does?) share authentication stack so some basic 2FA functionality like backup codes is not there for AWS .
Google is better at this because they have for long time also focused on SSO service as a product.
Many companies use Google AD /SSO workspace/suite because third party apps support google login out-of the box free[1], maybe charge for AzureAD/SAML2 and likely not support others at all without customization costs.
[1]It is standard because SMB/mid market companies are more likely to use Google for productivity than Azure/o365 as it is easier to manage albeit with lesser features. Third party apps don't want to expend support time on smaller customers if they can avoid it
People do bring this up on HN a lot. For WebAuthn / U2F the only actual example anybody has is AWS. So that's not an industry problem that's specifically an AWS problem. Unless you have an actual example which isn't AWS?
As to TOTP it's a shared secret, so just clone it. If they allow you to set multiple secrets it would just reduce your overall security because more random guesses work. Also, get WebAuthn instead.
Let's take your example of Mark Z.
What makes you think that this is unique case? What about people that suddenly come to fame, like viral video subjects?
A simple solution is to disallow logging in from new devices and the attempt being silently dropped so you are not bothered, unless you do some magic like generate one time key to complete the procedure on the new device.
I could think of a lot of people that would find it useful.
Or allow setting up 2FA token (other than mobile) correctly.
Instead what FB does is make it impossible to secure your account because they insist whatever you want you should always be able to recover your password with your phone number.
Years ago when I was still using it (I had reason) I tried to secure it with my Yubico. Unfortunately, it wasn't possible to configure FB to not allow you to log in on a new device without the key.
I understand how the discussion probably went: "Let's make it so that we can score some marketing points but let's not really make it requirement because we will be flooded with requests from people who do not understand they will never be able to log in if they loose the token."
But that's exactly what I want. I have a small fleet of these so it is not possible for me to loose them all but unfortunately most sites that purport to allowing 2FA can't do it well because they either don't allow configuring multiple tokens or if they do, they don't allow really lock your account so it is not possible to log in the next time without the token.