I think there are two big aspects that need to be kept distinct.
First, is large-scale ATOs. This is, IMO, the real reason why major services implement 2FA. To the best of my knowledge, despite the insecurity of SMS, there's no evidence that an attacker can massively take over accounts of a set of users with 2FA enabled.
Then, there's attacking a single target user. I don't think there will ever be a solution for that, unless the user is really careful. 2FA offers a 2nd factor, but you still need a strong 1st factor to reduce the attacker power.
For example, storing a strong password in a pwd manager is useless when you loose your phone (assuming an attacker can unlock the screen), as both factors are on the same device, making the 2FA de-factor a single factor auth.
Currently, again IMO, the only way to achieve a secure two-factor auth, is to have a strong password that you remember, and a second factor that proves you have a device.
First, is large-scale ATOs. This is, IMO, the real reason why major services implement 2FA. To the best of my knowledge, despite the insecurity of SMS, there's no evidence that an attacker can massively take over accounts of a set of users with 2FA enabled.
Then, there's attacking a single target user. I don't think there will ever be a solution for that, unless the user is really careful. 2FA offers a 2nd factor, but you still need a strong 1st factor to reduce the attacker power.
For example, storing a strong password in a pwd manager is useless when you loose your phone (assuming an attacker can unlock the screen), as both factors are on the same device, making the 2FA de-factor a single factor auth.
Currently, again IMO, the only way to achieve a secure two-factor auth, is to have a strong password that you remember, and a second factor that proves you have a device.