> Gosh, I don't know, how about literally all of the problems that 2FA solves in the first place?
It is clearly failing for this use case.
Security can't be seen as a one-size-fits all threat models. That will never be satisfactory, as requirements vary.
For most people in most scenarios 2FA is a net positive.
But denial of service is also a component of evaluating threat models. Here we're discussing cases where 2FA causes denial of service which is worse than any risk of getting the account stolen by password guessing.
It is clearly failing for this use case.
Security can't be seen as a one-size-fits all threat models. That will never be satisfactory, as requirements vary.
For most people in most scenarios 2FA is a net positive.
But denial of service is also a component of evaluating threat models. Here we're discussing cases where 2FA causes denial of service which is worse than any risk of getting the account stolen by password guessing.