I have Mailchimp set up to use MFA via TOTP and I have 2FA via SMS turned off.
I just logged in for the first time in a while. It made me verify by SMS and didn’t ask me for my TOTP number. In the settings, I have this configured correctly, but there’s a “We’ll use this to confirm your identity if we spot any unusual activity on your account.” phone number.
This seriously lowers my confidence that they’re doing this right at all. Everything seems to have gotten worse over the past few years.
