Seems nearly impossible to spoof, and yet I was getting alerts on an authentication app to approve someone to get access. I of course denied it when I saw it, but those requests had short shelf-life, meaning if I didn’t deny, the bad actor could have easily just tried a 2 digit number. I’ve now changed passwords to another randomly -generated text string as well as moving to SMS for the 2nd factor. Still wondering if maybe the authentication app is better.