Regarding the dual factor authentication sub-topic of this thread, I signed up for DFA a while back and have not been prompted to use it any time I've logged into my account. But, yesterday I called to book a night with an AMEX weekend certificate and needed the DFA for the redemption. It was awkward because the SMS didn't send right away so the agent went on hold a couple times and came back an asked me if I received it. Took a few minutes but the code did finally come through.

It seems kind of pointless to use the DFA when you call in for a redemption since they verify your e-mail address and phone number when you call in regardless, but at least it seems like it may be triggered for a points redemption even if it is not triggered when you log in. I haven't tested this with an online points redemption yet, though.