The only thing really holding me back from wanting to use iCloud mailing services is the current implementation of MFA on Apple services.
It would be fine if you were allowed to use normal MFA options, but no, that is not possible. Instead, you MUST confirm your logins via already signed in Apple-devices only. There is no other way. Cannot use phone number (for good reason, but that is besides the point), cannot have a secret key based TOTP.
Google on the other hand… I’ve seen two people lose their Gmail accounts even they knew the password because google required verification from a mobile device that no longer existed. :|
I think Google also has recovery keys. I have a slip of paper with ten long strings on them that Google told me could be used to regain access to my account.
Google seems to have changed their MFA stragagry recently where normal TOTP apps are a backup measure while the already signed in device is the primary. It wouldn't shock me if they don't prompt you to set up the app or recovery keys anymore.
I don’t think that they do [prompt you] anymore. I recently had to setup gmail with google Authenticator and there was no mention of recovery keys. Not sure if I could go in after the fact and generate any.
Google supports MFA apps. I use Microsoft's and I've been able to recover after switching to a brand-new phone without moving data over because Microsoft syncs with cloud services. (iCloud on iPhone)
I wish they'd let users decide what they want to use as additional factors. I would like to ban phone calls, emails, SMS, and TOTP entirely from all my accounts, especially those that hold credentials for other services, and use only WebAuthn.
I'd love to use Apple's keychain for credentials for convenience but it can quickly become the weakest link, when it should be the strongest.
TOTP is not as secure as WebAuthn, because if you enter the TOTP code into a phishing site, the phisher can now successfully authenticate as you. WebAuthn was specifically designed to be immune to this case: if you were to use your WebAuthn key in a phishing website, the phisher would not then be able to authenticate as you on the real site.
You have to have the generator somewhere to get the code. If it's in software, you must have access to that software, and it must be secure. With WebAuthN, it can be a hardware token and usually multiple of them stored in various locations that only you can access (safe deposit box, physical safe, etc).
You can have multiple accounts on one "trusted phone number". Trusted phone number is where Apple sends the SMS 2FA code. I have several Apple ID's on 1 phone number.
This is different than "Reachable at" phone number which must be unique and is used for iMessage and Facetime, and if it's blank other people can only reach you via iCloud account email.
(It makes sense if you think about it, parents setting up iCloud accounts for their children's iPads who might not have their own phone).
It would be fine if you were allowed to use normal MFA options, but no, that is not possible. Instead, you MUST confirm your logins via already signed in Apple-devices only. There is no other way. Cannot use phone number (for good reason, but that is besides the point), cannot have a secret key based TOTP.