Come on... if a site can implement this, then they can also implement #2FA using #FIDO2. Which they should, so that nicking my key isn't enough to log in as me. Odds are, most of those who don't offer 2FA also won't implement this either https://www.theregister.co.uk/2019/03/05/web_authentication/ via @theregister