At this point, 2FA has become the new gold standard of security. The first time I encountered it was on my bank’s website. Back then, as a broke student, I didn’t understand why it mattered. I’m still a broke student, but now I understand why an e-banking service would need 2FA. What I still don’t get is why my Grammarly account insists on it.
Two-factor authentication (2FA) is what happens when you enter your username and password, only to be hit with the dreaded prompt: “Please enter the code sent to [your email address].” In theory, it’s an extra layer of security. Even if someone has your credentials, they still need access to your email or phone. In practice, though, 2FA is more trouble for the user than for the hacker.
It overcomplicates access
You shouldn’t have to check your brakes before every drive
Basically, 2FA’s whole purpose is to make access harder, and yes, it succeeds at that—but not just for hackers, for me too. The odds that the person logging in isn’t me but some hacker are slim, yet I’m the one punished with hoops to jump through. I now need at least two open windows just to log in anywhere. First, the site. Then, my email, to grab the code. Worse, if it’s SMS-based 2FA, I have to fetch my phone.
It’s the same inherent dilemma of any security measure. You can prevent your brakes from failing by checking them before every drive. That makes sense: if you don’t want brake failure, if you want to avoid accidents and live a longer life, you should check your brakes every single time. But no one does that because it’s not feasible. That’s what’s happening with 2FA.
VPN usage only makes this worse. I almost always run a VPN. That means 2FA’s naive checkpoint of “is this the same IP?” flags me almost every time. Using a static VPN kills the point of privacy, but without it, I’m forced into this endless cycle of retrieving codes. So what’s a man supposed to do, other than grab his email or phone every time he wants to sign in?
False sense of security
Good habits matter more than constant re-authentication
Clearly, there’s a difference between having good email security habits and being forced to jump through hoops every time you log in. You don’t need strict quality control if you have good quality assurance in place. If you already drive responsibly and replace your brakes regularly, you don’t need to check them before every trip; the same logic applies here.
I can’t count how many times I’ve tried logging into my Google account on my phone, only for the verification prompt to be sent to that same device. If someone has my phone, game over—they don’t even need my password. The email or SMS code hands them the keys. SMS 2FA is still everywhere, despite SIM swapping being a known, active threat. SMS 2FA is convenient, but it’s so ridiculously insecure. A website seriously can’t claim that they’ve made your account more secure by adding SMS 2FA.
Unreliable
2FA is built on shaky delivery methods
Despite being treated as a cornerstone of modern security, 2FA is anything but reliable. My experiences with Google have been fine, but Meta’s 2FA is inconsistent and Microsoft’s is downright horrendous (I’ll talk more about this later). If Big Tech can’t get 2FA right, what hope is there for smaller companies? And if they rely on a third-party service, what happens when that service goes down—do we suddenly lose access to dozens of accounts at once?
My own carrier had an outage last week. I couldn’t log into my panel because the SMS code never arrived. With SMS-based 2FA, even a basic network hiccup can swallow the text entirely.
Providers treat 2FA like an optional safety net, not a core feature. That means they don’t bother with robust fallback mechanisms. If every password-based account requires 2FA now, why doesn’t the system roll both ways? Accounts set up only with phone or email should also require a backup password. Because when 2FA goes wrong—and it does a lot—you’re screwed.
Inbox clutter and privacy
Codes come with hidden costs
Every login attempt becomes another email or text I never asked for. 2FA makes it inevitable. I’m constantly handing my email or phone number to companies I’d rather not. Remember when you could just sign up with a username and password? Back then you had to confirm the password; now you confirm your email instead. Passwords aren’t cool anymore.
And there’s a deeper privacy issue. When my email provider handles 2FA codes, it’s essentially monitoring every login attempt. Gmail knows when I try to log into PayPal. I don’t want Gmail to know that. SMS 2FA is even worse. My carrier, which already has my number and location, now knows which apps I use and when I use them. No, they won’t use the codes to log in as me—but it’s creepy.
Even if you’re not a privacy nut, you still want peace of mind. I don’t want to hand my phone number to every site I sign up for, only to be spammed with marketing crap. I don’t want to have to reply “STOP” to some short code and then get charged for it.
I really value a peaceful inbox, especially my iPhone messages. That’s why I loved iOS 26—it finally brought spam folders to iPhones. But in the worst cases, the service uses the same number for both 2FA and spam messages. Block the number, and you’ve just blocked yourself out of your account. Perfect.
Permanent lockouts
I’m still not over my lost Outlook account
Failure to access your backup email, phone, or device can leave you permanently locked out of critical accounts, and the recovery process is brutal. I’ve lived this nightmare with Microsoft, and over a year later, I’m still paying the price.
I had an Outlook email tied to both university and work. Every single important account—Asana, Slack, CMS, company sites, LinkedIn, my university panel, VPN—was connected to this address.
I just wanted to send my thesis draft to my professor. Outlook had other plans—it forced me to reauthenticate. Fine. I typed my email and password, but that wasn’t enough. The 2FA code went to my backup email. The backup was, unfortunately, another Outlook email which also demanded 2FA.
The backup for the backup was my Yahoo account. You can already guess where this is going. The whole system collapsed like dominoes. Running out of time and patience, I hit Reset password. I answered two security questions correctly, only to be told my account was “blocked for suspicious activity.”
By the time I clawed back access to Yahoo and my secondary Outlook, the main account was gone. Microsoft’s recovery system wanted the subjects of my recent emails (fine), my recent contacts (fine), and the country I signed up from (impossible—I always used a VPN). I guessed the country wrong. Microsoft’s response was to strip me of the ability to ever try again. Locked out permanently.
I had to scramble and change my email everywhere, explain to professors and colleagues, and apologize for the mess. Some services still won’t let me update my login without that Outlook address. If I get signed out, those accounts are gone forever.
Yes, my security habits weren’t great. I shouldn’t have used Outlook as the backup for Outlook. I should’ve checked my backups more often. But this punishment is extreme. Security should protect users without making them hostages of their own accounts. Instead, 2FA locked me out of my own life. And in 2025, customer support isn’t really an option. You’re going to get an AI chatbot instead.
The cure is worse than the disease
Given everything, I understand why 2FA was introduced as a bulwark against unauthorized access, but its real‑world implementation has proven to be more trouble than it’s worth. The overcomplication of access, the unreliable nature of code delivery, the clutter and privacy intrusion in our inboxes, and the terrifying prospect of permanent lockouts—does the cost of this extra layer of security truly outweigh its intended benefits?
