If an attacker had your TAPSIGNER, they'd still need your username/password to authenticate and vice versa. We don't secure funds with these Tapsigners. They are only for 2-factor authentication, so the Best Practice violation seems like a reasonable trade-off for this use case.
Discussion
One alternative is we could only use the TAPSIGNER for authentication. Just scan it, type in your PIN, & you're authenticated, no username/password needed. If you lost your Tapsigner, an attacker would still need to know your PIN to authenticate, which is now not on our server.
Will we implement this in production? We'll see, but it's been a fun project and the TAPSIGNER is a great product!
Check out megawatthq.com 👀 for all of your miner hosting needs! The company was founded at the Indy Bitcoin meetup, so get out there and support your local #Bitcoin groups. You never know who you'll meet.