Is it possible to add this important security feature to Subeta? I would feel more safer with this than with a PIN code.

And make it a choice of course.

The PIN system could use an overhaul anyway. I've had it enabled for logging in since I joined over a decade ago, but recently blanked out on my PIN and realized that it probably hasn't been touched since then.

Has there been a rash of people's accounts being hacked? I'm not naive enough to think that anywhere on the internet is safe, but of all the places that hackers would be interested in, Subeta seems kinda low on that list. Not to mention they'd probably get more usable and damaging information by making their own account and using social engineering than trying to get into someone else's.

I've gotta say no to this one, a lot of 2 Factor Identification stuff can actually make things LESS secure from what I've heard (Though I can't find my source for that right now), and this isn't like say, Neopets or Flight RIsing where there's a huge offsite black market for pets and items (as far as I know) so I don't think hacking or account theft is like, a huge problem here, so at best I think it'd be an inconvenience

hmm, i dislike 2-step verification login into any account. Based on this alone, i won't offer support for the idea.

BUT, and there's a big but here. Some people might share their computer with other people in their household. If they have reasons NOT to trust those other people they might have plenty of reasons to want this feature. Therefore, for these people, to protect them, to help them feel safe, i think Subeta could enable this feature. But only if we can choose NOT to use it, as in not a mandatory feature, just like the PIN.

2FA buys you time to change your password in the event of a breach or falling for a phish. It's not something that protects you against blackmail.

depends on if it's a time based token (think Google Authenticator) or SMS. SMS is not secure because it was never designed to be secure. Out of band time based tokens that don't touch the Internet or SS7 are secure provided you're not using a sketchy authenticator or running them on a compromised device.

My first thought is "How feasible is it?" bc I vaguely remember, recently, Keith saying that the code works better for now hosted by himself instead of a 3rd party.

I don't pretend to know about the backcoding of Subeta, but I do know that major cloud providers (At least AWS), you can set up your site to have it, and that he (understandably!) doesn't want to deal with Amazon.