As of January, 2014 Namecheap said[1]: "Currently, we only accept SMS authentication but Google Authenticator, Authy, and TOTP authentication are planned."

More than three years seems to me a long development cycle to add TOTP support. Am I being disingenuous to think they just don't care?

[1] https://blog.namecheap.com/account-security/

It's not that they don't care. It's that $CARE_AMOUNT < $ESTIMATED_COST.

That formula would immediately shift if a high profile website registered on Namecheap encounters an SMS hijacking.

So what's the meaning of caring then? If they aren't implementing the feature, it means that they don't care. It doesn't make a difference to me that they care a bit, just not enough to actually implement it.

TOTP codes are straightforward to bootstrap. It's not rocket science.

At scale the cost of implementing a feature as wide ranging as 2FA is well beyond the tech cost. A basic TOTP implementation can be coded from scratch in an afternoon[1].

The real cost is testing to make sure a code change like this doesn't break existing users and estimating the additional support overhead of dealing with users that lose their two-factor devices.

[1] Seriously the RFC is very straightforward and readable: https://tools.ietf.org/html/rfc6238

I agree, I wrote an implementation in an afternoon for work, and that was back when there were no libraries to do this for me.

Yep, SMS 2FA just makes my account less secure, therefore it doesn't count as 2FA.

It only makes an account less secure if you can get into an account without knowing the password just by having the 2FA code (through customer support). Social engineering is also a problem with TOTP 2FA.