That’s not really the issue here. Nobody said the 2FA secret “resets automatically.” The point is that Blockchain.com doesn’t provide any proper recovery mechanism (like backup codes), and instead their “solution” is customer support disabling 2FA for you — which completely undermines the security model.

If you think about it, that creates a bigger attack surface than the 2FA secret itself: a social engineering vector. Someone doesn’t need to compromise the authenticator app, they just need to convince support to disable it. That’s exactly the kind of flaw worth pointing out, because it means the 2FA is only as strong as the customer service agent on the other end of the chat.

This isn’t about whether funds should be moved (obviously they should, because Blockchain.com is custodial at its core). It’s about analyzing design flaws so others understand the risks — and this particular one is a big deal.