Which works fine until they buy a new phone and trade in or reset the old one without transferring the private keys -- and now you're locked out of your own account because you lost your second factor.

> and now you're locked out of your own account because you lost your second factor.

To verify someone's identity ("Identity Proofing") using Stripe Identity [1] costs ~$2. They support IDs from 33 countries, and have implemented fraud detection in the flow. If you were so paranoid as to defend against someone stealing your government issued ID (used in the proofing process), you could paper mail a OTP to physical address on file.

Does it suck and its the cost of no digital ID infrastructure in the US? Yes. Is it insurmountable? Not at all. At the end of the day, people are the weakest link, and we must fallback to meatspace trust anchors (in this case, possession of government provided ID that can be provided on demand with robust fraud detection mechanisms). You are who you are, and own what you own, not because of key material but because of the law.

[1] https://stripe.com/identity

No problem, just reset your factor over SMS!

Emergency single-use codes. They can be printed and stored in a safe. Not every service with 2FA has this feature, I have no idea why. How hard could it possibly be?

There are multiple ways to avoid this, such as using an app that saves those keys (eg Authy) or using recovery keys.

But then bad guy just logs in to Authy with the same stolen credentials because most normal people will probably use the same credentials for everything, including Authy. And arguably, the smartest tech-savvy folk wouldn't be storing their 2FA keys in the cloud like Authy anyway.

If your cloud account is protected by 2FA that's also in the cloud... it's turtles all the way down.

How do you “Log in” to Authy? It’s tied to your Apple/Google ID afaik and the 2fa codes are also protected with a passphrase.

I don't have a phone that will run apps. I'm pretty sure I'm not alone.