2FA doesn't even offer much protection in a breach of the site using them. In fact, if not implemented smartly, the tokens also become compromised, requiring re-enrollment. The purpose of 2FA is to prevent automated and targeted account compromise, and is especially helpful when other places databases get dumped and folks have used the same credentials in two locations. 2FA (for better or worse) allows you to relax password requirements a bit, even if you shouldn't , because password alone is not sufficient to login, and an attacker would need access to the 2FA device as well. Because every 2FA token is different, compromising one site, even if your credentials are used on other sites and revealed in plaintext, does not allow an attacker to compromise your account at any locations using 2FA. And +1 to ELH. It's reprehensible how many companies have had compromises, and like I said above, that's a side-concern, as 2FA doesn't protect against that anyhow. It would blunt the impact of compromises for the layperson, and roll20 is already doing decent minimization of data retained (which mitigates another of the big impacts of having your DB compromised).