We normally have 2FA turned on for everything. However, it is a little horrifying to see that Atlassian provides absolutely no fallback if the authentication code is lost. Yes, we back things up. But every other vendor I'm aware of has at least a reset-by-postal-mail option, sometimes with a fee, to reduce the risk of complete loss of access from accident or malice. As a result, we haven't turned it on here.
This is a paid product -- Atlassian should do better.
