In the modern age of mass credential stuffing attacks exploiting password reuse, MFA is one of the most effective tools for reducing unauthorized logins. Companies that don't adopt it are risking unacceptably high levels of credit card chargebacks.
I wish the standard were for companies to check new passwords against leaked password lists, e.g. what https://haveibeenpwned.com uses.
I use a similar workflow and have found that websites that allow passkey-based login can avoid the friction of waiting for TOTP codes or magic links.
How about using supporting WebAuthn?
The current claude.ai signin mechanism is rather annoying.
I don't want to leak data either way by using some "let's throw SSO from a sketchy adtech company into the trust loop".
I don't want to wait a minute for Anthropic's login-by-email link, and have the process slam the brakes on my workflow and train of thought.
I don't want to wait a minute for OpenAI's MFA-by-email code (even though I disabled that in the account settings, it still did it).
I don't want to deal with desktop clients I don't trust, or that might not keep up with feature improvements. Nor have to kludge up a clumsy virtualization sandbox for an untrusted client, just to ask an LLM questions that could just be in a Web browser.