I understand the idea of and the need for two-factor authentication. But I’m unable to understand the point of using an authenticator app with the accounts that I use. For some accounts the use of a phone number is required even after setting up an authenticator app. In some cases a two-factor authentication method of sorts is implemented through email. Below, I’ll use as examples accounts for Amazon, Apple and Nintendo.
Amazon supports the use of an authenticator app, but doesn’t allow removal of the phone number associated with the account. Verification codes can be requested through use of the phone number after installing an authenticator app. This retains the vulnerability to weaknesses in the use of a SIM card.
Apple also allows the use of a “trusted phone number” as an alternative to using a trusted device.
Nintendo supports the use of an app, but also sends verification emails when two-factor authentication is not enabled. To me, this seems as the better way since I can enjoy the additional protection without an increase in complexity in the form of an additional authenticator app. I can also log in to the account as long as I’m able to access the email account associated with the Nintendo account. An authenticator app would run on a single device, but an email account can be accessed through many devices.
Just to be sure: I am not railing against the idea of two-factor authentication or any of the implementations as such. I genuinely do not understand how to think of a proper “model” to using two-factor authentication. As it is, I’m thinking of not bothering with the use of apps for myself or the family and using the text message or email methods many of the services guide me to use anyway. My question then is: am I doing it wrong or is two-factor authentication a valid idea suffering from lack of a powerful enough actor to force its’ proper implementation?