Why don't these people use 2 factor auth like a yubikey? And not sms because it can be hacked and redirected. I know the reason, they are not wanting these non-technical foofaws to be slightly inconvenienced. And they'd lose their second factors even if they had them - too bad, you shouldn't be able to get an official email without it. Give everyone a couple of those keys, put one on their keychain, one in their computer at home, one in their work computer. They'd be so much safer.