Never is a really big qualifier. It is possible for practiced coders to build secure systems. This is how we get trusted systems.
Trusting auth systems is always a gamble. Remember when Google 2FA was only actually checking the first factor? I sure do.
In my business the simple account and password ID model is insufficient. Most of our accounts are for families or organizations with complex contact protocols. Because on site service is the product we have the luxury of extensive physical in person verification. Assuming that every auth issue is for a typical Internet SaaS is a huge mistake.
Trusting auth systems is always a gamble. Remember when Google 2FA was only actually checking the first factor? I sure do.
In my business the simple account and password ID model is insufficient. Most of our accounts are for families or organizations with complex contact protocols. Because on site service is the product we have the luxury of extensive physical in person verification. Assuming that every auth issue is for a typical Internet SaaS is a huge mistake.