ebersman> Yup. This is a good example of what I'm advocating. Just ebersman> saying "use 2FA" or "use DNSSEC" or "have a CAA" isn't ebersman> sufficient detail to make informed decisions of ebersman> risk/effort/reward tradeoffs. Simplistic suggestions without ebersman> details or context isn't doing anyone any favors. ebersman> That said, even SMS 2FA is better than no 2FA. Barely. Just ebersman> like forcing lousy passwords is better than no password but ebersman> still not a best practice. valdis> Feel free to suggest a workable 2FA. Personally, I use a valdis> Yubikey where I can. Oath seems to be a reasonable approach for valdis> technically minded people, but I'm not sure that it scales well valdis> to the people who own the long tail domains in the 40 million valdis> .coms. I can get oathtool to behave the way I want, but I'm not valdis> sure the owner of joes-bait-tackle-and-gunshop.com will be able valdis> to deal with it. Agreed. But this also gets down to the risk vs hassle tradeoff. Joe's Bait & Tackle Shop probably isn't getting attacked by nation states who can hack SS7, so SMS text might be good enough. And certainly better than just an 8 char plain text password. Risk/attack surface is part of that context I mention. Folks in sensitive jobs will need better protection and hopefully be more capable of using less "user friendly" tech. Folks protecting less and with less geek background should still have some protection but it doesn't need to be nearly as fancy.