Not supporting two-factor authentication (2FA) is a major security issue. If your account number, which serves as both a username and password, was leaked online, nothing can stop an attacker from accessing your account. I think this is a no-brainer.
I also think supporting 2FA should be added to the VPN criteria.
Considering how there is no personal info tied to your account, i don’t really see the issue here.
I agree that the issue is not really clear to me, this is by design. We could make 2FA a requirement for VPNs which have online account management, but that would not change any of our recommendations.
The method of payment is personal information (which could be tied to account activity during the short period logs are kept). This can be mitigated by paying with Monero or Cash by mail however.
the method of payment used is not visible from the mullvad website. all an adversary with account access can do is use the service, see the “paid until” date, see any port forwards, and see any wireguard keys and their associated pseudonymous device names.