Especially when it’s a website that requires an account but they want to use SMS-based or Google Authenticator style 2FA in 2025. “Magic links” are stupid as hell too if you’re not a moron and use a decent password manager — I have no clue what random email address I generated since I can’t trust any company not to sell off my PII.

How hard is it to implement FIDO2 then let valid users make requests from whatever IP address they want? IP-based blocking is pretty fucking stupid if you’re already doing secure account-based authorization.