But notice how that doesn't happen very often. Because hotel keys almost never have the room numbers on them. This is basic security the hotel provides to handle the inevitable fact someone is going to lose their credentials. The Sendgrid equivalent would be some mechanism to prevent lost credentials leading to abuses - such as 2FA.
I'm actually intrigued now that I think about this.
What do you think typical hotel keys actually are? They could be arbitrary one shot token random tokens authorised for your stay. When you check out your token, even if you've cloned it, is now useless. This would superficially match the UX you see used, in which each mag stripe card is rewritten before it's handed to you when you check in.
But from what I can tell actually the typical practice is that the card doesn't have a random token, it encodes the room number and period of stay. If you write a new card with a different room number and period it would work, although of course that doesn't make such a thing legal to do.
I think the lack of a human readable number on your typical hotel keycard is because it was easier/ cheaper not because of some security insight. I would be happy to be proved wrong.
Certainly when I've stayed at very small hotels with actual keys, the keys were marked with a room number. These hotels also really wanted the keys back when you check out of course, not because they think you'll come back later and enter a room that's now empty or has a different guest (at such a small hotel that would not be subtle) but because they need it for the next guest.
Anyway. Sendgrid's 2FA doesn't actually block lost credentials. If you have Sendgrid 2FA and use it to get a token for their API, and then the new guy puts it on Pastebin your token will now be abused to send spam.
The main benefit is that the random tokens aren't guessable whereas your brilliant choice of Sendgrid password, "sendgrid" is very guessable. Yes this is some very weak sauce.
Maybe the analogy is getting a little long in the tooth here, but it's been 4 years since you needed basic auth on Sendgrid, so hopefully your username and password can't be found together without a targeted attack (kind of like how your room key getting stolen should only lead to your room with a targeted attack).
On the other hand, many hotels will give you a room number on the sleeve of the card. It's up to you to do the right thing and get rid of it properly
Kind of like Sendgrid has 2FA and it's up to you to set it up.
I mean, I get it, default behaviors don't rely on users doing the right thing, phone 2FA doesn't count even though it would have probably saved OP just fine, etc. If Sendgrid was trying to come after OP for losing their credentials those would all be big factors in me wanting to boycott Sendgrid...
But they're not. They're pretty much just telling OP "it is what it is after you let your account get stolen, eventually you might recover from this but you don't get a free second chance"
