Paypal used to offer a hardware 2FA device that would read out a six digit code on the LCD every time I pressed the button. I thought it was a great idea until I realized that they didn’t require the device or anything other than my plain old password to turn off the requirement to use the device.
This fatal flaw seems ubiquitous in many 2FA schemas today: they can be disabled or worked around without 2FA.
