Either make me create a password and then let me into my account or let me use my phone number/email to verify. It’s becoming too much to get into every day stuff. If I have biometrics on there is zero reason for anything else.
Basically the current security system is overdoing it. I suggest getting rid of passwords all together OR only requiring one or the other. Like it I forget my password or I forget my phone I can use the other but JFC its a hassle.
I’d agree specifically for phone/email verification, because those are so insecure as to be almost worse than doing nothing. However, some kind of MFA, with TOTP or some other kind of hardware backed authentication factor in addition to the password should be a requirement, especially for anything banking/financial, accessing health records, or anything that might otherwise contain PII, PHI, or be able to be used to access anything even remotely sensitive.