Thank you for your feedback. I will look into that.
Regarding my article, you misread what I said. I said that if you are using the specific application called Google Authenticator on your phone for Time-Based One Time Passwords then and only then you need to be aware that it's linked to the specific phone and that changing phones or restoring your phone from a backup will remove all One Time Password entries from Google Authenticator. Moreover, this has nothing to do with my assessment of Two Factor Authentication versus Two Step Verification.
With Joomla's Two Factor Authentication you are sending the TOTP (Time-based One Time Password, the six digit code) with your username and password. This means that an attacker can create a phishing page that captures all of the information required to spoof a login to your site: username, password and Two Factor Authentication.
At the exact opposite end, Akeeba LoginGuard implements Two Step Verification. When you login you do not enter any second factor information. A phishing page would only get your username and password. The next page lets you provide a second authentication factor. This small change makes a major difference in security for two reasons: a. it's harder for an attacker to make a phishing page that doesn't trip you off and b. you can use phishing-resistant to unphishable second factor methods such as W3C Web Authentication (WebAuthn), OTPs sent via push messages etc. The idea being that the former cannot be phished and the latter would need you to log into the site for the OTP to be sent, making it impossible for the attacker to spoof that part in a phishing page.
Either way, removing LoginGuard altogether doesn't make sense. If you are worried that Google Authenticator will erase itself you can add fallback second factor methods (such as code by email) or even disable all second factor methods in your account with the big, red Turn Off button. Furthermore, you do not have to use the Google Authenticator application; that was a good solution ten years ago but definitely not anymore. If you stiull want to use TOTPs you can use Authy instead. It's free and it can sync to the cloud and other devices – the sync is encrypted with a password. Or you could use a password manager that's aware of TOTPs such as 1Password, albeit that's a solution that carries a small cost.
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!