I'd like to share some experience, some may feel it's a rant, others something to consider, but it's nonetheless something to discuss. The title says 2-factor auth but this extends to emails and more, you'll see.
I received an email this morning from a tech company(which I will not name) telling me that I logged into my account(yup, I did 10 minutes earlier). The email told me my browser type, IP address, monitor size, device type and operating system. The email then went into a lengthy pitch strongly suggesting I needed to provide them with my mobile number for two-factor authentication to "keep my information safe".
#1 - This email sent my information out into the public where now a weak point isn't just my account itself, it's my email too, if you access one you get all this info too.
#2 - Providing more information does not keep it safe, it opens even more weaknesses. Sure, it may be harder to actually log into my account but logging into my account is NOT how a hacker will access my information. They will do something like find my mobile device if I drop it and by virtue of being linked will access accounts. OR, if this company has its servers hacked, which is a problem lately for MANY companies, the hacker now gets my phone info too.
I'm going to keep this short, there could be 10 more entries here, but the BEST security is to make it so that if one account is hacked... so what. By that I mean if you get into one of my accounts it will yield no information to get into other accounts. THAT is the best protection, in my opinion.
My real name, address and mobile number are things I do not provide if at all avoidable and that has served me well over the years. If a name is required it has a typo or I use an alias name along with a catchall email with that alias. Point is if someone contacts me they will be telling me where they came from by what they call me, by the email they use. I'll have all; the info I need to re-secure my own accounts by virtue of just being contacted and there is NOTHING any hacker can do to fool me on that.
It doesn't matter which account you get into, I have no vunerable information online. I demand paper bills instead of emails. I don't subscribe(or quickly unsuscribe) to company emails and I REALLY do not appreciate a company takinig it upon themselves to send me all of my information in email as a sales pitch to give them my number too, it ensures I end relationships with that company.
My point for writing this - take your security into your own hands. Never repeat passwords, do not keep accounts you don't use open, don't use the same email with everything by learning to set up a catchall. There's more but simple things keep you safe, info that is not out there or is unique to one service is hard to use against you. As for 2-factor authentication, NO, you cannot have my phone number, period. That mobile device is key to invading your privacy too, it's why every company wants it above all else you could provide. Just say no, or at the very least set up a trash number for security reasons if you like 2-factor. Keep your private life private!
/rant off, now excuse me while I go abandon this company. They sent the email to an email provider with a history of aggregating AND USING personal information, yuck.