Comment by hansvm

This feels similar in spirit to some service providers (*cough* Atlassian -- especially bad when they acquire other companies and push that bullshit on previously functional authentication systems) using ownership of a domain to assert ownership of an account using that domain.

E.g.:

1. You create an account using an email associated with a domain.

2. The domain owner coughs up their protection money to Atlassian and proves ownership of the domain.

3. Your password-protected account is assigned to the domain owner. Your password and 2FA invalid. The domain owner can access your private data without your password and 2FA.

Both TFA and the thing I described rely on broken, simplistic views of "domain ownership == account ownership".