Not sure how Digital Ocean is comparable to what Heroku used to be.
replyUse to be now they are requiring 2fa for addon domains over a certain amount
replyOf all the things to be upset about, mandatory 2FA doesn't seem like one.
reply2FA has been in place for years through email but this new requirement forces a phone.
replyGood. E-mail based 2FA is bad, and they appear to support TOTP too as an option, as they should. Wish they supported U2F though.
replyWhy is email based 2fa bad but phone good? There are classes of issues you get through phone 2fa compared to email
replyTypically, you can also reset password via email, so it's really only one factor. Compromised email = compromised server.
replyIt’s negligent to not use 2FA for any cloud platform where credentials can be used to spin up resources.
replyI should have been more clear 2FA has been in place for years the phone requirement is new.
replyThey use TOTP for 2FA (industry standard), which doesn't require a phone.
replyTheir help page lists a bunch of 2FA app options, all of which run on phones, so it's understandable to think a phone is required. (I'm disappointed they don't list the app I use, which is Aegis Authenticator.)
But actually you can use any TOTP app, and they don't all need a phone. For example, macOS (desktop) has built-in TOTP 2FA as part of the password manager.
Good! Should have been done long ago
reply