2fa and allowing customers to add trusted devices has been pretty standard for over a decade. Allows frequent customers to skip 2fa most of the time except when doing things like changing account information, password resets, etc while still being relatively secure. No system is perfect, but AS really needs to roll something out fast.