… and my kids

“Hey Kiddos! So I have some good news and some bad news…”

I’m obviously not OP but the first thing that comes to mind are attacks like the one that targeted xz. Open source developers are generally overloaded between demands from the community and their regular lives, and they also lack the means and ability to check the background of everyone contributing code or vying for maintainer status. This creates the risk that somebody with bad intentions works their way into a position of some power over the code that gets merged. Bigger projects with strict governance and an active community of contributors (or funding for dedicated developers to maintain control and check outside contributions) have much smaller risk in this regard.

Google Authenticator is merely a generic TOTP token storage app. The person you’re replying to was pointing out that Google Authenticator, specifically, isn’t necessary. There are alternatives, and unless you’re using a company-owned device that restricts the apps you can use there is no way for work to dictate which app you use for TOTP tokens.

Duo, Okta Verify, and other 2FA apps that use push notifications and such, are a different beast altogether.

I don’t think it’s a normal expectation for services with variable labor and materials to have a flat price associated. Certainly not for businesses buying said services. But there isn’t a single “charge per seat” software company that has a valid excuse for obfuscating pricing. Every software company I’ve worked with (and I’ve worked with hundreds over my career buying software for corps) has a “list price” for their product even if they hide it.