That would only work if I’m the only one using my hosted stuff, but can’t really expect non tech ppl to deal with stuff like that.

They already struggle with the little 2fa they have to use. Introducing yet another system is too much to ask.

Still feels like I’m doing too little, but kinda hate 2fa.

And I kinda don’t want to know if complex passwords and low retries before an account gets locked out are enough.

Only if you care about security, which you should ofc.