Many who do use two-factor authentication rely on an SMS version of it, where a PIN code is texted to their phones. But it's not as safe as using a physical security key for two-factor authentication, because text messages can still be intercepted, like what happened with Reddit on Aug. 1.

https://www.cnet.com/news/hackers-breach-reddit-systems-steal-super-old-personal-information/

"We learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept," Christopher Slowe, Reddit's chief technology officer, said in a post.

https://www.cnet.com/news/why-more-people-dont-use-simple-two-factor-authentication/#ftag=CAD590a51e