You've misunderstood my point. The fact that 2FA can be bypassed by a user leaves open the opportunity for a bad actor to bypass it. It should be 2FA or no access.
Not a member of The Register?
Create a new account
Remember me on this computer?
The Register - Independent news and views for the tech community. Part of Situation Publishing
Biting the hand that feeds IT © 1998–2021