Normally I’d expect a sensitive account (and perhaps all our accounts) to have two-factor authentication, which stops all but the most determined and well-funded attackers dead in their tracks.
Will this be supported at some point, and if not, are there any work-arounds?
We are working on this for our PCI compliance as well. It is coming but not sure on the timeline. I read through the referenced thread, and seems strange that they would require you to jump through hoops for our software. We go through a PCI audit every year and I haven’t heard of this happening for one of our customers. I reached out to our main PCI guru to see if she can maybe help out and answer some of these questions on requirements.