The personal verification question. The dumb, slow cousin of the password. Stored in plaintext, findable in social media. Not multi-factor auth
Spam. The cat and mouse game of advertisers seeking to reach more people for less cost, and, people seeking to spend more to not be reached. The current state of the art in proving “I am not a spam-sending robot” is the captcha. Do you love the captcha? Me neither. Do you sometimes fail it? Me too!
A strong password breached. Multi-factor authentication saved the day. So many passwords to check. Why can each site not use OpenID Connect single identity?
Trust-On-First-Use for enrolling multi-factor authentication.can improve your security for lower cost.
Sounds like a win to me!