I don't think it's reasonable for FN offer MFA with no safety net (ala GitHub, some others), even as an option.

However, yes, being able to turn on additional security (something more than just my password) would be great. U2F tokens and TOTP (Google Authenticator/...) are obvious choices.

For the safety net, I'd suggest requiring proof of real-time access to the associated email address: After entering username and password, a single-use code is sent by email and you have to enter that code in the same browser tab (w/o refreshing*) as you started the login process. This isn't perfect, but it's user-friendly, and if you (as a user) are using an email provider that has good MFA/security of its own, you've raised the bar to "can MITM email between providers" which is more than good enough for securing your FN account.

* Associate the token sent by email with a second token delivered only once to the browser, in the response body to the "send me a token via email" request. Don't persist that second token in any way that would survive a refresh/etc. For bonus points, additionally bind the token to TLS channel id, if available.

Please consider putting the cursor state for the endless scrolling into the url (history API) so that I can bookmark and resume looking at results later, or send them to someone.

Any improvement to make back/forward browser navigation do the right thing would be welcome, however. The experience using Safari in private browsing mode is awful right now. (Open something in a new tab? New cookie jar, log in again! Open it in the same tab? Lose your state in the search!)