Given the ability to easily destroy an entire Storm VPS infrastructure within the management portal, there should be some sort of multi-factor authentication available to enable for users who want an extra level of protection on their accounts.

If someone gains access to the management portal, all parent servers, child instances, and even images can be destroyed very easily. The system prompts for the account password, but if someone has already compromised the account, then that is a pretty useless level of additional authentication and really is only helpful in preventing someone from accidentally clicking the Destroy button.