@taviso @tqbf @thenthj nobody's arguing in favor of SMS 2FA, but an intermediate step of "get people to use authenticator apps". Login pages should indeed prevent trivial scripting though, perhaps forced captcha (or opportunistic "gee where's your javascript interpreter / DOM" captcha) on all?