Because it's more work? Also 2fa often fails for the rightful card owner. And Cloudflare overzealous "security" is one of the reasons for failure.

in europe 2fa is mandatory for all (or almost all) online purchases, especially first time purchase from a merchant when your card hasn't been authorized. Sites using stripes' link get away with no 2fa most of the time, but not all the time. Make it mandatory on visa/mastercards level, and you won't loose much sales, as all transactions would require it and people will have to 2fa everywhere.

An hour ago paid to Contabo cloud service provider, headquartered in Munich. No 2fa.

Yeah, and this is actually a huge pain for visitors. I was in Europe a couple months ago and couldn't buy stuff like train tickets online. Why? Because everything wants to verify with a text, and I couldn't do that because I had gotten a European SIM card because my US plan doesn't do international roaming.

There are several colliding problems there (cheap cell phone plan, 2fa being via text, online purchases requiring 2fa) but it still illustrates to me the pain of doing simple stuff in the modern tech space. I wish the powers that be would work harder on solutions that don't require extra work from the people doing small, normal stuff. It would be better to have a lot more fraud occur but a lot more of the perpetrators pursued and caught. A lot of anti-fraud measures seem to be largely about passing the buck to someone else instead of actually eliminating the humans who are driving the fraud.

2FA for our cards is not via text, but via app. It's your credit card provider that doesn't implement 3D secure properly.

Because it just doesn't work with shocking frequency.

Maybe 10% of the time I make a purchase online, it shows me a screen where it says it's waiting for my bank to verify, I'll have to input a code or accept a notification or something.

A solid half the time it fails. Either the site decides the transaction was rejected before I even get a chance to respond (within seconds), or I just don't get any notification or code or anything, or I do authorize it and it still gets rejected.

idk here in India, we have 2FA for everything. I would say it very rarely fails, speaking from personal experience.

I think a lot of other countries have it much more standardized. Or it's just more common so the bugs get fixed.

But in the US there are so many credit card providers, each one seems to do it differently, and the UX flows just break. And it seems difficult for a site to even test, and how will you even figure out if it's the provider or network or merchant or notification that's failing?