Personally I have more trust in telegram, to assume anything trusted or developed by russians is automatically untrustworthy feels like one accepting british propaganda. Most of the best security software is written by germans or eastern europeans.
On to the subject of passwords.
Some experts are finally talking out that password policies need to be user friendly to be effective.
By user friendly the following.
Do not block auto complete.
Do not block password managers
Do not enforce changing of passwords unless actually compromised
Do not block copy and paste
The reason being, if you force your users to manually type in a password, its much more likely they will use an easy to remember short password, and also more likely they will use the same password on multiple services.
Password managers should require some form of authentication to unlock.
2FA systems ideally need a form of authentication as well. Authy FTW over google authenticator.
PIN's in place of passwords I agree is a big downgrade, so e.g. compare say a 8 character alphanumeric mixed case password to a 4 digit pin, the amount of possible combinations is drastically reduced. PIN's I believe got introduced because service providers are obsessed with the idea of the end user having to enter their password on every access (no persistence) and to compensate for the inconvenience they come up with PIN systems which are much quicker to type in especially on phones.
I think persistent logins are fine on non shared home PCs and laptops. Phones which are considerably easier to steal and lose, perhaps not so much but I do feel phones should at least have some semi persistence that is utilised when on a wifi network, but disabled when on mobile data, the persistence would also get reset if the WAP changes.
An issue with 2FA that has no authentication in front of it is what happens if e.g. tesco bank implement google authenticator, and the google authenticator is on the stolen phone. The only protection is if the thief has no clue what it is so cannot work out how to use it, otherwise they need to merely open the app to get the key. What I do here is I only use internet banking on my PC, never from my phone. That means 2FA and the device used to access the banking are not the same devices.
Authy can remotely disable devices access to keys, and also can be protected locally by a pin to use, a pin is short, but its better than google authenticator that has no protection to open the app. SMS for 2FA is better than no 2FA providing the 2FA can not be used for account recovery.