Before anyone yells about security, every major service I use in both my personal and professional (software engineer) life has an OTP bypass mechanism for trusted devices. For OAuth/OIDC auth flows, they all have automatic refresh tokens.

Microsoft Azure, AWS, GitHub, Azure Active Directory. They all have MFA enabled, and all allow you to bypass it on trusted devices. Those accounts have access to data infinitely more valuable than my FFXIV characters. Those accounts are secure.

My own apps that I've built, which support MFA through Microsoft's Identity framework, have a "remember this device" feature.

There's no reason to exclude this option from a game account and force the user to type it in every time.

If you look at the trends in the industry, such as NIST and Microsoft dropping password expirations from best practices, you'll see that the reasoning is because creating too much inconvenience makes a platform less secure. That's totally the case here.

Many people would rather disable MFA than have to enter an OTP every single login. The same as people would rather use the same password and increment a number at the end when a password change is forced every 30 days. I'm not saying either of these are "okay" to do, but that's why NIST adjusted their best practices.

Allowing for trusted devices would increase the overall security across the whole player-base.

And for those who want to enter it every time, they're more than welcome to keep doing that. This wouldn't affect them at all.

Thank you.