For example you'd think a company with an division dedicated to authentication would support what the industry considers the best 2FA solution: WebAuthn. Sadly that is not an option for your Twilio account (other Auth providers like Duo support WebAuthn).

Twilio has also been emailing me the past few months telling me I must turn on 2FA on my account. This is weird since I have TOTP enabled.

I feel like Twilio must be internally conflicted about this. As a company dedicated to phone services they really want to push SMS solutions even though SMS based 2FA is vastly inferior to WebAuthn.

There's been a bit of confusion about this email: you can turn on 2FA separately for your Twilio account (identified by a 32-char hex string prefixed with "AC") and your user account (your email address). The email is talking about your user account. Even if you have 2FA turned on for your Twilio account, the email is asking you to turn it on for your user account.

For some context for those who may not be familiar: the Twilio account is essentially a billing/project unit that is a container for Twilio resources you've purchased or configured. Multiple user accounts can have access to a single Twilio account, and a single user account can have access to multiple Twilio accounts. Enabling 2FA on the Twilio account means all users who want to sign into that account (regardless of their user account setting) will have to use 2FA. Similarly, enabling 2FA on your user account will require 2FA whenever you sign in, regardless of the settings on any accounts you may have access to.

(Source: I work there, got confused about this email myself, and managed to clarify internally what was going on.)

SMS based 2FA is worse than useless thanks to the rise of SIM Swapping hacks, it adds an easy attack vector into your account.

How would WebAuthn work with someone using a mail user agent connecting via SMTP?

* To use their APIs or SMTP submission servers you need a bearer token, which is basically a random blob of data.

* To get a new bearer token (good for any number of API calls or SMTP submissions) you log into a web site and request a new token. This site is also where you can de-authorize existing tokens. The site is protected with 2FA

Today, Sendgrid offers this, only with Authy for 2FA and it's optional. If you decide bearer tokens are too complicated for your 15 year old PHP mail sending code, you can just use a username and self-selected password for SMTP or the API instead.

Authy has an obligatory SMS bypass. So even though you can use an app to generate codes, bad guys who can SIM swap their way to your phone number can do 2FA and get into the web site to issue their own bearer tokens.

So, today if you can guess a company's username and password on Sendgrid there's a good chance that's enough to have Sendgrid help you send spam as that company.

With the 2FA world they want to get to, you would need to either SIM-swap, trick their customer service agents, or most likely just pinch a bearer token they wrote to a Pastebin or whatever.

They could do much better in 2020, but there's no sign Sendgrid has any interest in doing more than the very bare minimum.

Is the bearer token used as the password in the SMTP transaction? Could the same one be used for IMAP access?