This is link-bait sensationalism. Aside from the downtime, getting your heroku app recovered from being deleted is not a big deal, assuming you write into support in a reasonable amount of time.
"This isn’t something that 2-factor authentication is going to fix. 2-factor auth is great at preventing a man-in-the-middle attack but when the attacker has your phone, they probably also have the second auth channel."
Two-factor authentication could be made more secure by requiring you to reply to a text message with the answer to a security question that couldn't be found on your phone (e.g., the name of your favorite comic book character).
This seems like it's going to be a problem a lot of places if people are using 2 factor auth via their phones. You can delete someone's Github also immediately but I'm not sure if they keep backups somewhere. It sure says that stuff will be deleted IMMEDIATELY
If your key ring included a teleporter that could steal all your possessions with a single button click, then yeah.
If someone steals your keys, they stil have to find a time when no one's home, and it's still hard to steal things from a physical location quickly. Once you notice your keys are gone, you can call a locksmith and rekey the house.
That's why the article recommends a time delay. There should be enough time to realize that your access has been compromised, and nothing destructive should occur faster than that time limit. Ideally, the time limit should be configurable, so you can go on a vacation and know that even if someone hacks into your email the day you leave, nothing will get committed until your return.
Does any company in the world do something like this? If not, why make it sound like Heroku is doing something bad by not having it?
I don't think expecting people to protect their email and TOTP secrets is unreasonable, but it does go to show how vulnerable you are if your unlocked phone is stolen and you don't react quickly.
Don't give your phone to people you don't trust if it grants them this kind of access, and if somebody gets a hold of your phone or you lose it, change your passwords.
Believe me, I'm no stranger to flaming service providers, but I'm inclined to blame the user for not being sufficiently disciplined here. The service provider shouldn't have to make all these kinds of guesses about what you can access and within what timeframe.
I also put in a feature request that would fix this. Allow customer to lock addons and ENV variables and require a unlock password to change them. The same can be applied to app as a whole and then just disallow changing that unlock password from a phones browser...only from a desktop.
Email apps should allow pin protection (separate from the phone pin). An email app is a door allowing access to the majority of services people want to keep secured.
