2FA- solving the wrong problem
AFAICT, the recent Apple cloud leaks were caused by a password-guessing attack. In order to guess a password, the script tried 500 or so passwords for each username.
Now if Apple had been monitoring failed password attempts, and stopped repeated failed attempts, especialy when a whole bunch of them for different usernames came from one IP location, this would not have worked. Apple were not using passwords in the right way.
AFAICS, Apple have now started to do this, which is why and how the attack has stopped.
Another method to defeat such attacks might be for the login username to be different from the public username, making it hard for an attacker to guess a login username.
More, if Apple had emailed the celebs saying that there had been several failed password login attempts, especially those from unusual IP addresses, and the celebs had said "I didn't do that" then Apple could have been on an especial watch (and could probably have caught the attackers).
Don't get me wrong, password are a totally shit method of identification, and a really bad method of authentication. But my banks use them online, along with other methods: one (Lloyds) sensibly, one (Tesco) in an overly paranoid manner which actually detracts from security.
And like PIN passwords for debit and credit cards, if used correctly online passwords seem to work well enough for money.
If I make repeated failed password login attempts to my banks they lock me out, and want me to contact them. Very sensible, if annoying. However yesterday I forgot my itv player password, and made several wrong attampts to log in - and got shut out for 30 minutes. I mean, WTF?
Passwords are useful in their place, sometimes with added password-type or other security when needed, sometimes not, Sometimes they are used in stupid ways - why does ITV Player need me to login with a password anyway?
Passwords cannot usually protect against coercive attacks, but for everyday use where they are used appropriately and monitored suitably, they are still the worst - apart from everything else.
The real problem is that people do not use them appropriately.