Ohhhh I forgot about the cute animal security step! Tbh I thought it was decent. A sort of reverse password where they demonstrate that they're really them before you demonstrate you're really you. Two factor does do this, but I think it's easy to convince people that the system just "didn't require it" this time and skip it as a malicious actor vs. the cute animal. I'm not surprised it failed to accomplish anything, but in theory it seemed decent.