[DangitBobby]

I don't know of anyone who does 2FA this way.

[Rygian]

My employer does it for products requiring PCI certification. Our PCI auditor recommends it even though it's not a formal requirement of PCI v3.

[darkarmani]

That sounds like a terrible trade-off that makes people more likely to write down passwords on post-it notes or in a clear-text file to cut-n-paste. Especially if you lock accounts after a 10 tries or so (or PCI's ridiculous low number of tries).

[rexfuzzle]

This was posted above: https://www.isnic.is/en/site/login First time I've seen it too