Hi @smaffulli and thanks for your prompt, interesting, and very informative reply!
That’s a good point about SMS being an unsafe vector. I wasn’t aware of just /how/ unsafe it is, but I don’t disagree with the idea to exclude it. In fact, the more I read those threads you linked, the more I agree that SMS cannot be used as a medium for MFA.
And I understand that MFA via email is not perfect, but neither is MFA via app.
Unfortunately (unfortunately for me, that is), this means that I will not be using MFA for Dreamhost. As one commenter on that Schneier thread wrote, it’s a bit like throwing the baby out with the bathwater. More-secure MFA is better than partially-secure MFA, but some MFA is better than no MFA. I would appreciate the choice to accept a “partial improvement to my security” by using email-based MFA. But I understand that from a system development standpoint, it’s not worth the time or the risk to intentionally allow a solution that’s not up to spec.
Thanks again for explaining and sharing those liinks.