Blizzard! Anyways, I have to use one of these authentications for work. It won’t be long before someone manages to hack these systems and then it’s just direct access to both your computer and phone. It’s like anything put in place, physical world or digital “to stop criminals”, it only ever messes up valid users and gets broken real quick.

why change it?

Which most people would do because they don't have excess emails accounts.

In case of data breaches user&passwords can be collected. If you dont change the password frequently (you keep only one forever) the probability of getting hacked increases no matter how strong it is. Why? The most basic method to crack a password is brute force: try all the possible string combinations until finding the correct one. Just as mere silly example: Lets say your 5 digit password requires 1 year full PC time to be found using brute force (yeah this numbers and estimation don't make sense but bear with me because are not relevant) What happens if you change your password in 1 month from now while the brute force work in progress happens? All the progress made goes to the trash bin and is needed to start again. Sure, if your password is 2 digits long and the estimate to crack it is 05 seconds doesn't matter if you change it every month because it can be hacked in a sneeze. The other side: if your password is 1024 digits long (a mix of letters, numbers and special chars) and the estimate is 1000 years then you may take your time to change it... but remember, computing power improves and today's estimate is worse than in the future, and the number of the estimate is the worst case scenario: it could happen that despite being a very strong password, to be discovered on the first attempts! (months to crack it maybe?)

Sorry, I am not following you, then please let me ask you: How 2step verification "provides a solution improving or automating InfoSec"? Did I miss the news of hordes of gog.com hacked accounts happening and your supposed skeletal staff need automated solutions and improve the infosec to solve a security hole? I am not aware of a disaster like that, hence my opinion is to keep the current security as is (1 step authentication = user&password. And my basic suggestions are: strong password and change it frequently) therefore I ask the people looking to "infosec improvements" to reconsider. Yes, I don't consider 2FA a real improvement but doesn't mean I pretend to have -solutions-. How all this connects to your question? Im affraid there is not much else I can contribute to the topic under the given scenario.

No one mass cracks passwords by brute force these days. The only exception might be passing most common combinations in type of qwerty123. Classic brute force wouldn't even be possible because any half serious service has mechanisms preventing it like using captcha or temporarily disabling login after few unsuccessful attempts.

But anyway why bother with changing passwords every month instead of using 2FA and not changing them ever or very rarely? Yes, it decreases risk because your password from leaked database might be already outdated before someone use it but if someone manage to login and do damage it won't matter whether you changed it yesterday or 5 years ago. There's literally no scenario when this is good idea from security standpoint, even simplest 2FA like SMS or email is better than none.

What would be best is PAM via Biometrics, but I'm sure people would be too paranoid to buy a fingerprint sensor even if it authenticated only locally.

Certainly criminal -organizations- (yep, the full definition of the word goes included) have more elaborated and efficient methods: not just donkey brute labor. But again, the basic concept persist: they need to attempt to "guess" the password anyway no matter how educated is the guess.

2FA is not a magical solution as you imply. Why don't think first on time interval penalties on every failed login attempt? 30 seconds on the 2nd attempt, 2 minutes on the 3rd, 5 minutes on the 4th, 24hrs on the 6th (just wild numbers as I enjoy on my examples). 10 incorrect password attempts in a row? 1 week login freeze and even a forced password change. Is this suggestion boring and silly compared to more sophisticated -solutions- like tokens and biometrics devices the big boys enforce? Absolutely!! Then lets take the trendy and fancy ignoring the boring paranoids outhere...Uh?... Somebody else said A.I.? Sounds a terrific (yep, the archaic definition of the word goes included) idea!
And I insist: We are talking of a gaming store...

Sounds like a great idea... until you switch your phone number and then need to authenticate yourself on a new browser...

same here

good luck bruteforceing my 16+ randomchar passwords, not gonna happen especially with the mentioned online try limits
and most companies should be smart enough to only store salted pw anyway

constantly changing password is more error prone than keeping one , more likely you will just lock yourself out
the only reason to change if it is compromised

I'm not saying that a mobile authenticator gives a 100% guarantee that you won't loose your account in a potential hacker attack. It provides higher security than one-step or e-mail two-step authentication however. People are the weakest link in cyber security. So if you're not cautious enough, everything can happen. There are people here that have 2000+ titles in their library. It's possible they will become victims of hacker attacks because these accounts have a huge value. It's in their best interest to maximize security.

Word!

The same reason you get some fancy lock on your door. Any lock be picked, but having a good one is more work, which makes you a less likely target. 2FA makes it not impossible, but way more inconvenient to target your account. Hopefully as much that the "bad guy" says "Not worth it". A simple password can be stolen by a keylogger for instance, no matter how complicated it is. But with 2FA there is another line of defence - especially if you access the second factor on another device, like your phone.

Total security is impossible. You can choose to go heavy on the protection systems, or you can choose to minimise your exposure. I prefer the latter.

Your phone number is the entry point for all the data anyone could ever need about you. Why would I want to hand it over to anyone I don't trust?

Sensible practices are much better than any anti-virus program. I never use an installed AV. I've had one virus in twenty years, and that was because of a daft mistake I made.

Did I say otherwise?

2FA is a cheap and effective system to raise the hurdle of account theft considerably. If you don't want to have your bicycle stolen, you use a good lock, no? Not too heavy, but not too cheap either. Because - while it can be broken within minutes - it still makes thieves pick easier targets. I also find 2FA not too "heavy" (inconvenient).

That's between you and your phone. I doubt anyone could do much with my phone number, other than spamming me on Signal or Telegram.

Where did I talk about AV?
And while I agree that the best protection against viruses is Brain 1.0, especially Windows had so many vulnerabilities over the years that required no user interactions - remember Conficker? Drive-by-downloads? Some of that malware was spread through ads from perfectly legitimate websites, like news sites etc.

Also malware that is out for your data, spying on you, is something that you don't notice - it doesn't show popups, it doesn't encrypt your files, it just sits there watching you and logging your actions.

While I do agree that the usual AV provides a false sense of security to the average user, and is often a vulnerable target itself, it does make sense to regularly scan the system for malware and rootkits.

As you wrote yourself - shit happens. And many people aren't as computer-savvy as you and I and most people on the forum here. And damage is quickly done. Because of that I see 2FA as another line of defence - which can be broken, for sure, but it slows attackers at least down, and maybe even makes them look for easier targets.