Don't force blank (0000) passkeys on users and then lock them out of their accounts, and don't restrict double-auth to just people's phones on the double-auth list (???).

Short explaination of what went on:

"I see the problem is that yahoo set up a blank (0000) "passkey" without me and without my consent and it expired. I just had to delete it. Deleting double-authentication would have just forced-logged me out and would have perma-locked me out as well. You need more training. You almost talked someone into perma-locking themselves out of an account Yahoo auto-passkeyed and auto-locked by automation. I was lucky my phone even allowed to that stage and only because I pre-set up the double-auth. Please ask to be retrained. You almost bricked my account."

Also: Why are you asking people to agree to ANOTHER layer of aggrements in order just to send feedback?! Stop that nonsense. Too many layers. Go back to simple Username and Password. Everything else is just performative security and performance legal mumbo; neither hold any water but cause problems for users.