I wished that companies would just let me tick a box that says "I explicitly don't want 2FA and I accept that my account might get taken over / lost and I will not be able to do anything about it"
Sadly that's not going to fly, since the damage a bad actor can do with your account will generally hurt the service's bottom line.
Consider a game, as an example. A stolen account can be used to play with cheats or to commit credit fraud / chargebacks, and the typical punishment of banning the account is no longer a deterrent. If there's an in-game player market or gifting system, items can even be transferred to otherwise legitimate accounts.
> A stolen account can be used to play with cheats or to commit credit fraud / chargebacks, and the typical punishment of banning the account is no longer a deterrent. If there's an in-game player market or gifting system, items can even be transferred to otherwise legitimate accounts.
How is that hurting the company? It would mostly hurt me as the original account holder. Except for the cheating, but that can just be done with a newly created account as well, so the only thing the fraudster would gain is not having to create an account.
The general public has trouble discerning responsibility among multiple corporate citizens working together. Remember the "iCloud hack" from last decade was not actually a hack at all, just stealing passwords and downloading videos/images from cloud storage. Incidentally, that prompted Apple to turn on 2FA for all accounts.
Password strength requirements are an anti-pattern: they force users to pick passwords from a pre-determined list the algorithm comes up with, rather than passwords they can remember.
Even with the most secure password, it is still useful to have an additional gate to get past before being able to perform any actions on your account, You are in control; you could deny the 2FA for an attacker just by doing nothing, whereas kicking an attacker out after they've logged in with your password is a lot more difficult and requires active action on your part. I remember being paranoid checking the list of recent sessions (and clicking the "end all other sessions" button multiple times a day) in the old Gmail design, and also giving up as keeping an eye on that list 24/7 was futile and a waste of time. With 2FA, I don't have to.
2FA is great when you want it on an account. If it’s being forced on you however, it’s insanely irritating, often for no reason. The user should have the power to decide if that information is worth the extra protection.
To your point, what is an anti pattern is requiring certain special characters or a certain mixture of character sets while ignoring other valid safety approaches such as password length IMO. Regardless, if a user is constantly resetting their password due to forgotten password, that amounts to 2FA because of the emailed reset tokens anyway. Modern users have adequate access to password managers that it should be simple to put them back in control.
Rules like "At least one special character" are silly. But I like estimator (e.g. zxcvbn) based strength requirements. Plus checks against blacklist like hibp.
