This is link-bait sensationalism. Aside from the downtime, getting your heroku app recovered from being deleted is not a big deal, assuming you write into support in a reasonable amount of time.
<i>"This isn’t something that 2-factor authentication is going to fix. 2-factor auth is great at preventing a man-in-the-middle attack but when the attacker has your phone, they probably also have the second auth channel."</i><p>Two-factor authentication could be made more secure by requiring you to reply to a text message with the answer to a security question that couldn't be found on your phone (e.g., the name of your favorite comic book character).
This seems like it's going to be a problem a lot of places if people are using 2 factor auth via their phones. You can delete someone's Github also immediately but I'm not sure if they keep backups somewhere. It sure says that stuff will be deleted IMMEDIATELY
I also put in a feature request that would fix this. Allow customer to lock addons and ENV variables and require a unlock password to change them. The same can be applied to app as a whole and then just disallow changing that unlock password from a phones browser...only from a desktop.
"Hi, I'm Insert Name, pleased to meet you. Can I borrow your phone".<p>"No"<p>...<p>"Erm, what do you think you're doing, get your hand out of my pocket!"<p>No-one touches my phone.
Email apps should allow pin protection (separate from the phone pin). An email app is a door allowing access to the majority of services people want to keep secured.