Quoted from ForceFlow:I suppose I should step back and clarify since we were both making some assumptions.
MFA (multifactor authentication) and 2FA (two-factor authentication) are more generalized terms for authentication methods that don't necessarily specify what technology is specifically being used. Just that it's something beyond simply a username and password. So, that could mean just SMS OTP (one-time password) or TOTP (timed one-time password). There are also a few other technologies, such as a physical security token or biometrics.
The current security technology that has become standardized in the last few years is TOTP, so usually when the topic of MFA/2FA comes up, it's more often than not related to TOTP.
Correct. As another IT leader chiming in, this is what I immediately thought the OP and you were talking about in the original post. I'm not sure why there was confusion. Regardless, I, for one, am all for 2FA/MFA here. I don't even think we need to go all the way to the point of an Authenticator App requirement. I think even SMS-based auth is sufficient for a site such as this, since the risk of a hacker 'spoofing/cloning' a SIM card to gain real-time access to your text messages just to hack into Pinside, is LOW. Regardless, in this day and age MFA isn't really a burden on users, especially if you give them options of delivery.
I also second the idea of just make it optional to turn on...or at least flexible (i.e. text, app, or email). All of those can be set to expire within some period of time. If you don't turn it on and get hacked that's on you. No different than it being optional still for sites like eBay.