Thinking about two-factor auth at a nano level, requiring human confirmation before any client can actually post to your site via your micropub endpoint. For example, I sign in to barnaby's experimental Taproot interface but don't trust it entirely yet. Instead of giving him blanket access to post to my site, every time his app makes a request to my micropub endpoint, it goes and asks me for confiramtion before publishing. Either OOB confirmation (2-factor auth via SMS or something) or an OAuth-like confirm