You didn't expect a forum full of obsessive technology nerds to see through the nonsense cargo cult that is 2FA?

tl;dr: You only need a strong, well-kept password or 2FA. Doing both has extremely marginal security benefits.

Remember that 2FA happened like this:

- everybody's password is hunter2

- people's accounts get hacked left and right

- people contact support, this costs the company lots of money

- so company tries "strong password" rules

- people forget their strong passwords

- people contact support, this costs the company lots of money

- company enforces 2FA

- fewer people contact support

- less support work, company saves money

Now, none of these problems apply to people who always use random strong passwords and store them in a decent password manager. I'm not saying 2FA makes no sense from a business perspective, it totally does. Moves the hassles from the business to the user (and locks out poor people without phones trying to log in from a library computer, but they were never going to be generating a lot of revenue anyway so who cares right?).

But if you're not using "hunter2" and not forgetting your password, the extra security 2FA gives you is against nation-state level hackery only. An attacker would have to either MITM your https traffic or hack into your password manager vault. But if they can MITM your https traffic, they can capture your 2FA OTP as well when you fill it in, so you're already screwed.

This leaves someone hacking my password manager. But 2FA has recovery keys, for when you lose your phone/authenticator. If an attacker have this key, they don't need the second factor. So then it all boils down to:

- do I dare print out my recovery keys, put them in a drawer, not lose them in a move or a fire, not urgently need them while away from home?

- or would I rather put the recovery keys right there in the password manager, meaning I can access them when needed but when someone hacks my password manager, they can hack my life?

If you're in camp 2, like I am, 2FA adds no value. If you're in camp 1, 2FA can protect you against people hacking your password manager (but against nothing else).

I don't believe anybody, barring the extremely paranoid (for good or bad reasons), actually prints out their recovery keys. Ergo everybody's in camp 2 or worse (eg put the recovery keys in your dropbox). Ergo, if you use a password manager with strong passwords, 2FA is 99% theater. The 1% is for the printer+drawer people.