I've been crusading against two factor auth for a while now, including being against email as recovery/revocation fallback.

- SMS is insecure, both from a protocol and from a social engineering point of view. Google Authenticator is better, but still has fatal flaws.

- We use email for casual communication and security-sensitive account changes. This is a disaster. What happens if Google bans your account by mistake, or a thief steals your phone and decides to data-mine/destroy your online life?

- I have yet to see a two factor auth protocol with decent recovery ("I lost my phone") and revocation ("the thief used my phone to login and kick me out"). The instructions are usually "make a new backup for every new account if the site supports" and "tough luck", respectively.

Our online lives are more important than ever. Hearing "I'm sorry, you lost every single online account you ever had" is going to become recurrent unless we change our ways.

IMHO I think the best solution would look something like SQRL (https://www.grc.com/sqrl/sqrl.htm).

EDIT: I'm not against adding two-factor to a website that only has username+password. I personally use two-factor everywhere I can. My point is that this is not a good combo, from a security and usability point of view. But still better than just passwords.