Summary - TWO-FACTOR AUTHENTICATION IS A MESS - The Verge
2-factor authentication is vulnerable to code interception and exploits of account recovery systems.
It is difficult for experts to assess the quality of the large number of 2-factor implementations.
Bitcoin holders have been a focus of hacks, but the practices are widespread. Account recovery systems at wireless service providers are the weakest link - often requiring only a billing address to hack, and they provide a host of social engineering opportunities.
SMS 2-factor code delivery should not be used.
The emphasis is beginning to shift from hack prevention to detection (classifying usage patterns and ambient signals).
Thank you for supporting this effort with your votes!
I hope these executive summaries save you time and bring you new ideas.