One of the nefarious aspects of Multi-Factor Authentication that I have not mentioned in my previous post on the subject is the risk of loosing Digital Sovereignty.
Authentication via a login and a password is well understood and is usually implemented within existing software. On the other hand, Multi-Factor authentication is often implemented via US-based third parties: Google, Facebook, Github, Linkedin, etc.
Countries can not implement Multi-Factor Authentication for their citizens themselves either. Case is point is Belgium, with the national service that provides authentication services relying on the US-based COTS software for most of its functionality.
There's a simple way to enforce Digital Sovereignty. Digital Services should be legally coerced to enable user login via a single string, akin to an API key already used by many services.
We all know that login/password combos are flawed, as users tend to choose weak passwords. For a lay person, the combination of a unique login and a weak password is enough to differentiate them from all other users. They do not know about rainbow tables nor multi-site attacks.
That same lay person presented with the need to have a single string as authentication key will ponder seriously on its length and randomness.
That string will not be called password but something else, be it passkey or key or passphrase. With a whole new world of assumptions and software helpers to generate them and securely store in key managers.
While this idea seems controversial on the surface, it is actually the basis of the WebAuthn and passkeys in general.
Unfortunately, WebAuthn has been subverted by the incumbents into an complex set of standards that can only be supported by a couple of US multinationals. Moreover, it is relying on the fact that users can not have full control of mobile devices.