hi there! two-factor authentication is now available in your user settings. as we noted yesterday, if you have a bot running on your account and you want to turn it on, you should get in touch with us to move your bot pages to a second account until our public API support ships.
FAQ
Q: what forms of 2fa are available?
A: right now you'll need an authenticator app like Google Authenticator, Authy, or a password manager with built-in 2FA like 1Password, but we'll also be considering adding support for other forms of 2FA like hardware tokens in the future.
Q: why do this now?
A: we didn't feel comfortable with starting work on features like tipping or subscriptions without two-factor authentication in place. other features we want to ship like passwordless login also require some of the underlying improvements we made to ship 2FA.
Q: this took a while to ship. why was it so complex?
A: as part of writing this change, we had to basically rewrite the site's login system because we'd made the assumption three years ago that logging in would be a one-step process that always goes the same way. it turns out the login system touches a lot of the site! (for people writing web sites after us: we suggest that building in an explicit state machine for authentication from the ground up is a good place to make an exception to YAGNI.) we also used this as an opportunity to figure out what longer-term changes we'd be making to clean up some of our, uh, idiosyncratic approach to error handling.
we're glad this is out the door, and we heartily encourage everyone to turn it on if they can! thanks for using cohost 
