>A warning to auth engineers: if an account is using a Gmail address, then auth codes from Google Authenticator should not be considered a second factor.

Incredible take. I don't know what's worse here — suggesting gmail address = google authenticator, thinking you can know the source of "auth codes", or the fact this is coming from an auth engineer. I'm switching to handwritten HMACs on paper napkins today.