All 2FA is security theater. All 2FA in use today is normally just 1FA pretending to be 2FA. If I have your phone, then I have everything I need to login. That's 1 factor. 2FA is only 2FA if the physical device ownership requirement does not have access to use the thing being accessed. Why? Because you store passwords on that device. That device has your password. If I have the device, I have your password. You would have to use no auto-fill and memorize your passwords so that the physical device does not have your password in it. The point is, if I get one factor, I don't have the other. But in reality, our physical devices can access the thing we want, and therefore you likely store your credentials on that device.
Might be the worst take I have seen on this website. Anyone with first hand experience in corporate information security will not agree with you. Fact of the matter is 2FA stops majority of credential/phishing based attacks. Because majority of attackers are casting a wide net and will simply give up. Is it perfect? No. But to say its all security theater is ignorant.
Good you shouldn't be using them. You shouldn't be using foreign keys either. It just makes working with data harder and doesn't help with constraining it if your data modifications are inside transactions and properly written statements.
It's because you're getting passed the point of having simple questions. Once you get to a certain point of understanding, there is less available online for shared problem solving. This just happens.
My app has been removed from youtube oauth multiple times because we keep getting different verifiers. We've even had permission revoked after being approved. All we do is use a oauth to get their userid and read their livechat for a chatbot. They just can't get their shit together.
