However, as I am trying to sign on to my email and various services, I am realizing how difficult it is to access any of my accounts. Pretty much every service I am using wants me to use my phone to verify my identity.
For example, Google gives me three options after I login (I logged in with the password to the account...): - Tap 'Yes' on your phone or tablet - Use your phone or tablet to get a security code - Get a verification code (at my phone number)
All three of these options require me to posses my phone and have it be in working order. After all these years, is this really the only way companies can verify my identity? I don't like this single point of failure.
Edit: Also of note, I have a secondary email address attached to that first Google account, but they don't give me an option to verify my identity using that secondary email. So why have that secondary email there at all?
I also make sure to grab any recovery code offered by the service so I can get back in, if my phone (which has the authenticator app on it) gets lost/stolen/damaged, or I lose my Yubikey.
Google requires a phone number to register, but you can turn on U2F or TOTP 2FA and it won't ask for your number next time you login, and requires a Yubikey/TOTP instead.
Honestly, this causes me much uncertainty in regards to something like Google Authenticator or other TOTP solutions (not exactly what the post is about, but very adjacent when you start considering the points of failure).
I mean, Google's solution in particular has a "Transfer accounts" option that lets you use QR codes for a backup, but that still feels somewhat worse than having desktop software as well like KeePass and some password/biometrics protected database file like .kdbx that I could open on my phones, tablets, computers etc.
Apparently the closest you can get on the desktop is Authy, which is a TOTP client that runs on multiple platforms: https://authy.com/download/
There was also WinAuth, but it seemingly isn't updated anymore, at least since 2018: https://github.com/winauth/winauth
To me, software like that feels infinitely more portable and more suited for backups, versus some vendored device like YubiKey which costs close to what a new Android device might cost, making it less affordable to many.
But in regards to Google and other platforms that have their own opinions about how to handle logging in and their bespoke multi factor implementations? There's even less chance of something portable being viable.
A security stackexchange discussion seemed rather divided over whether SMS/TOTP on mobile is "two factor" or "two step." If it's "two step," I wonder why it can't just be any two things I know. Like the good old security questions or a second email address.
Should be a choice at least so we can say this much security is more than enough for me because your idea of more security doesn't actually seem more secure to me in the real world of negligent policing and unprofessional companies.
U2F/WebAuthn
paper backup codes (scratch codes)
If only the screen is broken, but the phone can receive SMS, and you use mac with icloud, you can receive SMS on your mac.
Phone call or SMS to a "real" VOIP number, which you can then pickup on ANY phone and/or your computer. Google Voice isn't real enough for this.
You can also not use 2FA.
For other services: hit or miss. To the extent you can login to them with oauth ("login with google") and you don't mind giving away your identity that way (sounds like you don't care much), then always do that.
1) you don't have another password/account to manage
2) your google oauth login will stay valid for quite a long time, giving you lots of cushion to get a new phone, unless you're especially unlucky with the timing
Well, they could send a card through the mail to your home or office with as long a validation string as they like.