> I don't want to go through onerous, incompetent, poorly designed account recovery procedures if a toddler smashes my phone

Why don't you use the printed recovery tokens?

Not all websites offer them.

Hell, no bank I use (several large and several regional) support generic totp. Some have sms, one has Symantec VIP, proprietary and not redundant.

Edit: since I'm posting too fast according to HN, even though I haven't posted in an hour, I'll say it here. Symantec is totp but You cannot back up your secrets and you cannot have backup codes.

Symantec VIP is TOTP under the hood.

https://github.com/dlenski/python-vipaccess

> Why don't you use the printed recovery tokens?

I currently see 53 2fa tokens in my private bitwarden.

You expect me to print, keep safe and manually reset them all when I buy a new phone?

The toddler got there first.

Seriously, though, it's hard to keep track of something that gets used once every five years.

Who has a printer these days?

Local libraries, print shops... but yeah that may be an attack vector.

A better way to fix this is to have multiple ways to log in. Printed backup codes in your safe with your personal papers and/or a Yubikey on your keychain. This works for Google and Github, at least.

Passkey syncing is more convenient, though, and probably an improvement on what most people do.

If you can backup a key it is not MFA. It just a second password and not another factor. The solution to having your phone smashed is to have multiple "something you have", so you have a backup.