What Sendgrid offers here (and this is fairly typical) goes like this:
* To use their APIs or SMTP submission servers you need a bearer token, which is basically a random blob of data.
* To get a new bearer token (good for any number of API calls or SMTP submissions) you log into a web site and request a new token. This site is also where you can de-authorize existing tokens. The site is protected with 2FA
Today, Sendgrid offers this, only with Authy for 2FA and it's optional. If you decide bearer tokens are too complicated for your 15 year old PHP mail sending code, you can just use a username and self-selected password for SMTP or the API instead.
Authy has an obligatory SMS bypass. So even though you can use an app to generate codes, bad guys who can SIM swap their way to your phone number can do 2FA and get into the web site to issue their own bearer tokens.
So, today if you can guess a company's username and password on Sendgrid there's a good chance that's enough to have Sendgrid help you send spam as that company.
With the 2FA world they want to get to, you would need to either SIM-swap, trick their customer service agents, or most likely just pinch a bearer token they wrote to a Pastebin or whatever.
They could do much better in 2020, but there's no sign Sendgrid has any interest in doing more than the very bare minimum.
* To use their APIs or SMTP submission servers you need a bearer token, which is basically a random blob of data.
* To get a new bearer token (good for any number of API calls or SMTP submissions) you log into a web site and request a new token. This site is also where you can de-authorize existing tokens. The site is protected with 2FA
Today, Sendgrid offers this, only with Authy for 2FA and it's optional. If you decide bearer tokens are too complicated for your 15 year old PHP mail sending code, you can just use a username and self-selected password for SMTP or the API instead.
Authy has an obligatory SMS bypass. So even though you can use an app to generate codes, bad guys who can SIM swap their way to your phone number can do 2FA and get into the web site to issue their own bearer tokens.
So, today if you can guess a company's username and password on Sendgrid there's a good chance that's enough to have Sendgrid help you send spam as that company.
With the 2FA world they want to get to, you would need to either SIM-swap, trick their customer service agents, or most likely just pinch a bearer token they wrote to a Pastebin or whatever.
They could do much better in 2020, but there's no sign Sendgrid has any interest in doing more than the very bare minimum.