Very cool that when someone repeatedly fails to log in to my credit card company's site as me, they lock my account and force me to change my password, instead of just having proper two-factor authentication in the first place. They have a thing where you can sort of do it, but it requires their phone app, and it doesn't even actually require it for logging in (and as far as I can tell, there's no way to force it to require it) so I don't know what the point is.