[maccard]

Digital ocean is the answer. You give it a container and off you go.

[baobabKoodaa]

Not sure how Digital Ocean is comparable to what Heroku used to be.

[ipaddr]

Use to be now they are requiring 2fa for addon domains over a certain amount

[ceejayoz]

Of all the things to be upset about, mandatory 2FA doesn't seem like one.

[ipaddr]

2FA has been in place for years through email but this new requirement forces a phone.

[ceejayoz]

Good. E-mail based 2FA is bad, and they appear to support TOTP too as an option, as they should. Wish they supported U2F though.

[ipaddr]

Why is email based 2fa bad but phone good? There are classes of issues you get through phone 2fa compared to email

[ceejayoz]

Typically, you can also reset password via email, so it's really only one factor. Compromised email = compromised server.

[maccard]

It’s negligent to not use 2FA for any cloud platform where credentials can be used to spin up resources.

[ipaddr]

I should have been more clear 2FA has been in place for years the phone requirement is new.

[jlokier]

They use TOTP for 2FA (industry standard), which doesn't require a phone.

Their help page lists a bunch of 2FA app options, all of which run on phones, so it's understandable to think a phone is required. (I'm disappointed they don't list the app I use, which is Aegis Authenticator.)

But actually you can use any TOTP app, and they don't all need a phone. For example, macOS (desktop) has built-in TOTP 2FA as part of the password manager.

[esseph]

Good! Should have been done long ago