Does two-factor authentication need to be fixed?