Thinking about two-factor auth at a nano level, requiring human confirmation before any client can actually post to your site via your micropub endpoint.
For example, I sign in to barnaby's experimental Taproot interface but don't trust it entirely yet. Instead of giving him blanket access to post to my site, every time his app makes a request to my micropub endpoint, it goes and asks me for confiramtion before publishing.
Either OOB confirmation (2-factor auth via SMS or something) or an OAuth-like confirmation dialog from the same browser window.
#indieauth #micropub #2fa