Why do companies in this IOT space just not require 2FA by default? Yes phone numbers can be stolen, and using a phone number is not -perfect- second factor. However these stories keep coming up and I cant help but think in each case that someone has secured their account with the password password123.