Well I just check my gmail/google apps account and I have them stored in LastPass. If you want to test, disable 2FA, re-enable. It will need to offer new backup codes since the “secret” will have changed.
The UI behind most 2FA is a right pain in the hind. That doesn’t make it any less important for your security.
For straight up passwords, assume a determine attacker will find a way to break, find, etc your password to accounts that matter eventually.
I cannot count the number of times I have been notified that a password for an account I own has been “involved in a data breach”. What I can count, however, is the number of times a computer or account I own has been compromised due to a password breach over the past 40 years: zero.
I agreed with everything said about the importance of having a second or multiple factor authentication. I can talk from experience that more than one persons I know have their email account hijacked because they do not have 2FA or MFA.
To me the biggest threat is stolen identity. Imagine someone can send email impersonating as yourself, the consequence is really huge
You have no idea how much I’d LOVE to disable 2FA. At least Apple won’t allow it. 
And FWIW, I’ve seen Google STILL demand confirmation codes after disabling 2FA. Which is insane.
Right. And given that 2FA’s main job is to lock you out of your own account if it’s not satisfied, regardless of whether you know your password, I’m saying that’s absolutely unacceptable.
“Oh, you don’t have that phone number anymore? Well when you switched you should’ve gone through (insert complicated twenty-step process that’s poorly documented) to keep your account up to date. Sorry, you’re locked out.”
There’s no world in which that should be an acceptable practice.
You know more than one person that uses good, secure passwords that’s had their account hijacked?
Except I can send an email from any address on the Internet - no password required. Receive? No. Send? Absolutely. Not an issue at all.
Email isn’t hijacked because someone doesn’t have 2FA. It is hijacked because someone clicks a link in an email because they cannot stop their curiosity, and that link starts a chain of intrusion.
seriously? you need to convince me that you can 
Not sure where to inject this.
ZDNet articles were easier to find, than the underlying MS articles:
I have 2FA set on my DNS service, email, website server, github, banks and a few other key places.
I’ve done professional work in security (a long time ago) and it left me just paranoid enough.
FWIW I also backup my gmail so if I do lose the account, I’m not burned.
Be happy, choose your own path.
It’s been possible with vanilla SMTP since day 1. Nothing in the protocol itself prohibits it, as long as the outgoing server isn’t checking. Scammers do it all the time. All you need is an email server with slightly lax security.
Just connect to a poorly-configured (or intentionally-misconfigured) server, tell it you’re something like biden@whitehouse.gov, and whoever you send to will get a friendly note from the President.
but doesn’t at least some SMTP servers require some form ot authentication . Fastmail for one requires password
I may be as paranoid as you are. I have set up advance protection for my prime gmail account. It is free but it can be annoying sometimes as it does not allow any 3rd party app connection (except Apple Mail , I think) but I reserve this account for important communications such as with government agencies
I think you’re misunderstanding what I’m saying.
Let’s say you have an email like fuzzygel@gellin.com. You have that email at Fastmail. So yes - for you to send email through the company you pay to handle that for you, you have to connect to Fastmail’s server, give it your outgoing SMTP authentication, etc.
But any email server in the world can generate email from fuzzygel@gellin.com. There’s no security on that. There’s an audit trail embedded in the headers, so the receiving email client can at least theoretically tell where the email originated and decide whether it thinks it’s correct - but that typically just lands it in somebody’s spam - where other valid messages likely also end up on a routine basis. At that point it’s all about the content of the message, how trusting the recipient is, etc.
Or if the recipient has your email address whitelisted, it might not even go to spam - it might just sail on through direct to their inbox.
I promised myself I would stop and yet here I’m again.
If you know what you’re doing, you can add SPF, DKIM authentication to your own domain. In which most modern email systems will reject email that doesn’t come from domains you’ve authorized. Undoubtedly whitehouse.gov has.
Our business email domains do this because we send email out via mailing list providers. However if you screw this up email won’t go through.
this is a good and interesting discussion. Are you sure that there is no authenatication and that anyone can send email using any domain name, such as your example of @whitehouse.gov . I’ll very surprised if you can actually do that. I do not encourage you to try, in case you get into trouble with Homelnad security, but you can give it a try using my domain fuzzygel.com. At least to test this from an academica perspective (and I can a free cybersecurity threat test 
)
On the more serious note, I found the information on this site is good info.
yes, agreed, our posts just crossed. I have done this for my fastmail account using my domain fuzzygel.com. However, I am not the one knowing what to do. I have to get the friendly fastmail support to help to insert the right lines/code into my domain DNS
Correct. But that authentication doesn’t prevent the sending - it only lets well-configured servers / email clients determine that the sending server doesn’t match what you’ve said it should be.
At that point they have the choice of either rejecting it outright, or doing something to flag it as spam before delivering it. And in my experience it’s not uncommon for it to be flagged and delivered rather than rejected because misconfigured SPF/DKIM records are so common that a lot of legit email would otherwise get tossed.
Yeah, I would guess it’s probably illegal to do. I’m not going to go through the gyrations to try this using my production server, but I can refer you to his article from 2017 where the author quite literally sent an email to his own Gmail from potus@whitehouse.gov:
https://dylan.tweney.com/2017/10/25/how-to-fake-an-email-from-almost-anyone-in-under-5-minutes/
And back in 2017 anyway, Gmail didn’t throw it away because whitehouse.gov hadn’t implemented DMARC:
There’s likely a lot of low-hanging fruit here for scammers. And again, since the security is all dependent on the recipient’s configuration, it’s highly variable whether the “protection” protects the end users at all.
Incidentally, fuzzygel.com doesn’t have a DMARC policy. And whitehouse.gov does have a DMARC policy, but it does nothing to instruct receiving systems to reject mail that fails the DMARC.
You can check records here - Free DMARC Check & Record Test - DMARC Inspector
yes, this is on my todo list, thank you, really appreciate checking this. I actually got a lot of frebbie out from this forum 