In January this year, a Polish security researcher named Piotr Duszyński released a pen testing toolkit named Modlishka, (which loosely translates in English to Mantis) that can automate attacks against websites that use either SMS or OTP based two-factor authentication (2FA). While this is certainly concerning, the ability to co-opt some of these methods of 2FA is hardly new. Yet, the common response from some security pundits was that 2FA as an entire category was under assault and likely to fail. Instead of embracing the 'security panic theater' and wringing my hands, I'll review the current 2FA threat landscape, take a look at practical steps to mitigate those threats, and then I’ll review the current/future state of 2FA and alternative authentication methods.