@DevlinMandrake The passwords don't matter. It's the CC data that matters, as well as just the PII that they get with or without MFA. Who cares if someone gets the passwords? They're worthless if what they were protecting is compromised. Account access by a third party is usually not what we're talking about or worried about in these breaches. Sure a hijacked account means getting locked out (and if there's on-file payment information that means getting billed for purchases until you close it down) but that's not the usual shape of these breaches, it's the birth date, SSN, CC number ,etc being compromised that is the most common and more serious risk we're normally talking about.

In the case of Switch, having to go grab your phone to enter a key after entering your password every single time you want to browse what the eShop has would be ridiculous.

Now, if we're talking re-using passwords, if you need the annoying complexity of MFA to protect you from the colossal stupidity of re-used passwords, that's a whole other mess. Yeah, if I were going to use one password for everything I'd need something else to....well lets face it, it's not 2FA at that time, it's really one factor. The password is little more than a second user name name at that point. That's a very different situation where you're using "push passwords" as a replacement for real passwords more than a second factor.

Technically this all could have been fixed by using a hardware analogue of real keys and a physical or wireless reading system before building out "web 2.0" back in the 90's. USB made that easy enough. Keep a private key on hardware keys you can copy as much as you want. Boom, done, and everyone could have easily understood how to use it. Many of us were pushing for that, including for email encryption with PGP and the like in the day. But no, the NSA had to get in the way....how dare someone want to protect data and keep them away from the ability to access it over the wire! Then we just got "web 2.0" built atop that.

At the end of the day MFA is a bad workaround that still leaves the screen door open around back, does little to nothing to protect the actual sensitive information you're trying to protect in the event the remote network is genuinely breached rather than individual user accounts, and still risks locking yourself out of your own accounts/products without recourse, to help mitigate someone else walking in the front door while leaving the back screen open. Sure, it's a "better than nothing" alternative for actual unique, secure, high entropy passwords, if someone chooses not to use one. It does satisfy the "something you have" aspect of security, but due to a lack of standarization and universal input for that, it's a very very crude way of doing something like that for what amounts to doubling down on what should already be a high entropy password. And if the remote network is so weak on security that a brute force attack really could work for a volume of users, I would think getting in on the back end would be a lot easier than trying to brute force every account anyway. Why mess with logins when you can get at the user tables directly?