For my personal threat model, most 2FA flows decrease my security. Historically, the loss of my phone is a more likelier event than a compromise of my credentials and the damage to me and the businesses holding my accounts from loss of my credentials is much less than the denial of service from loss of access. This flips with some access from my employer and my bank, but I don't associate any of my personal devices with my employer's account in any way.
It is a shame how the industry seems to think that security is some single dimension along which things are more or less secure. Denial of service for personal accounts is often times more damning and common than account compromise. 2FA makes me less secure in some cases.
I absolutely get your point but I think at least some of that is on you, or on those services. There are supposed to be safeguards that remove (or at least mitigate) the risk of denial of service caused by loss of the secondary device. One-time-use codes or some other method for emergency access are common ones I can think of.
True, but you are missing the point. A system is secure that acts in its user's best interests. In the case above, 2FA is not in the user's best interest, as defined by the user.
It is a shame how the industry seems to think that security is some single dimension along which things are more or less secure. Denial of service for personal accounts is often times more damning and common than account compromise. 2FA makes me less secure in some cases.