There are ways to limit which two-factor options are available, like push notifications, SMS text, phone calls, etc. Several times we have been exploited by some account making multiple “expensive” telephony calls or even SMS text to foreign countries. Somehow these methods pay another third-party for making these calls, which get charged to our telephony credits.
Maybe this is an enhancement request. It seems like there should be a policy available that would restrict these “expensive”, more that 1 or 2 credit calls, to an authorized group. Then, we wouldn’t have to restrict and entire method, but could limit it to the one and two credit methods unless a person belonged to an override group.