> may I suggest spending a couple of days volunteering for a local Victim Support charity.
Please try being less condescending.
Losing the keys, due to whatever reason, means losing one factor. If the user loses the key, the "mugger" still needs to get the users' passwords.
2FA = something you know + something you own. Having one factor compromised should not compromise your accounts if the service you are using is configured correctly.
That's not exactly correct. Another factor is something you are, such as a fingerprint or eye. There are three classes of factors from which drawing any two is called 2FA.
There is also a 1.5 factor auth, used for example by many banks, in which there is a server challenge for the very vulnerability stated in the article.
Please try being less condescending.
Losing the keys, due to whatever reason, means losing one factor. If the user loses the key, the "mugger" still needs to get the users' passwords.
2FA = something you know + something you own. Having one factor compromised should not compromise your accounts if the service you are using is configured correctly.