What's the universally accepted alternative?

There is no universally accepted second factor.

* SMS (and automated voice call) are bad for people who live in areas with poor phone coverage, people with international phone numbers, and people who want good security.

* TOTP is bad for people who don't have smartphones.

* FIDO U2F is bad for people who don't have $20, safari/iOS users, and people whose devices don't have USB.

* Vendor-specific apps are bad for people who don't have smartphones, people with low spec or poorly supported smartphones, blind people, and the privacy-conscious.

* Smart card readers and physical tokens with screens cost $$$, often aren't accessible to blind people, and are too bulky for users to carry more than one or two.

* Paper single-use codes are bad for people who log in regularly, people who don't have printers, and don't scale to multiple services all that well.

* All of the above are bad for people who are forgetful or clumsy enough to regularly lose or break the second factor.

WITH THAT SAID, you can still provide Hacker-News-reader-approved two-factor authentication by basically copying Google: Offer the user TOTP, FIDO, SMS and paper codes, let them choose any two.

Gain bonus points with a setting that stops customer services resetting the password or disabling 2fa, and a week-long warning/waiting period in case account hijackers dial up the security settings to stop the original user getting their account back.

> TOTP is bad for people who don't have smartphones.

This only true if you're willing to define everything beyond the most mundane "dumb phone" as a "smartphone". One of my friends has a long list of exciting problems which ends up meaning he doesn't own what anyone these days would consider a smartphone.

But it's not like he uses carrier pigeons. His phone does have a (monochrome) screen and is quite capable of running software, it's just the software has to be crappy mobile Java from last century. However TOTP is trivial, you probably can't do it in your head but you definitely can do it in a Java 1.0 implementation and so sure enough it can be run on those phones.

On a brand new Pixel of course you vaguely wave your phone near the screen, it reads a QR code and sets everything up, he has to instead laboriously transcribe a secret value using T9 input, but the same effect is achieved - a changing code that he can input to prove he knows the shared secret.

You're correct: You could TOTP from a java phone app, a tablet, an airgapped computer, a non-airgapped PC you were really confident of the security of, and so on.

That's why I said "bad for" rather than "impossible for" :)

After all, you'd still be excluding all the people who don't have any of those. Like my 90-year-old neighbour who only has a landline phone.

I've helped maybe 50 employees set up VPN access at my workplace, and at least 2 of them said they didn't have any way to TOTP independently of the laptop we were issuing them with.

> * SMS (and automated voice call) are bad for [...] people with international phone numbers

Why is that? I'm maybe spoiled by my surroundings (Poland and Europe in general), but receiveing SMS text is free abroad. While using dataplan generally is not, so SMS is cheaper (free) as a second factor if you travel a lot.

Depending on where the customer is roaming from and to, they might risk a per-SMS charge, suffer unreliability, get no signal, or even turn off their phone to avoid accidentally running up a big roaming bill.

When I went from the UK to Montreal, I tried to use local Uber competitor "Teo Taxi" but was unable to as their number-confirmation SMS didn't arrive.

Some countries really don't want you automating SMS's to their local users, countries like UAE for example are very restrictive. Other issues, number porting often brakes cross carrier SMS and roaming in general often breaks SMS delivery.

On my Canadian cellphone, unless I get a US/Intl plan before I leave, it stops entirely all my SMS when I'm outside Canada. I'm entirely dead in the water if I rely on SMS 2FA.