Two-factor authentication (2FA) with the use of one-time passwords (OTPs) is now often seen as a cure-all against phishing, social engineering, account theft, and other cyber-maladies. By requesting an OTP at login, the service in question provides an additional protective layer of user verification. The code can be generated in a special app directly on the user’s device, although, sadly, few people bother to install and configure an authenticator app. Therefore, sites usually send a verification code in the form of a text, email, push notification, IM message, or even voice call.