Re my earlier question about 5 posts up.....any idea whether BA will allow opting out of 2FA? As mentioned, my concern is if lost / stolen / broken mobile phone then that would be it. I couldn't even use my e-mail account registered with BA because that now has 2FA and needs my phone to authenticate. Personally I would rather not have 2FA on my BA account and still be able to log on from any web enabled PC just using my Exec Club # and Password.
The problem here is that having just a username and password has for a long time been considered insecure. Apart from common sense need to protect their systems and services, additionally BA are on the hook legally to protect customer's personal data, some of which is deemed sensitive by law.
If a data breach were to occur whereby it was determined that BA as a processor of data had "failed to take appropriate technical measures" to secure access to personal data they could be looking at a fine of up to 4% of global turnover. Just having a username and password is no longer considered an appropriate technical measure for an internet facing service. Whether the regulator and the courts would use their remedy to the full extent is unknown, but BA's insurers will be influencing things here to eliminate risk.
Then you have got to ask yourself if they had an exemption process (and it could well be that they do to cater for customers with specific needs) would that would not absolve them from needing to protect your data, so they are unlikely to offer exemptions willingly, it would be likely based on medical need, as every exemption is overhead and risk.
Unfortunately 2FA and MFA is the way the world is going, and indeed password less where you only use the one time token and don't have a password.
I only have an I-phone and a laptop PC (Windows). Plus, what is "MFA"?
MFA is multi-factor authentication (where you might have several options)
2FA is two factor authentication a subset of MFA.