About forcing their app, while it's not necessary (you can use mail guard or extract the OTP key to run just the OTP generation); the improvements it makes to account security is top notch. I have a 2007 dated Steam account that had its username password combination leaked way back when i used the same username password combo everywhere. After setting up Steam Guard; I never had to change anything off of it. It used to just generate OTPs with its app; now it also shows where were login attempts made to your account, occasionally I get "yo this random fuck from China tried to login your account; is this you" notifications on my phone which i can pretty much ignore.

My old accounts on other platforms have really different stories, but on none of them i was able to call the account safe without changing its credientials at all.