What Fabulous do have, however, is an "Executive Lock" feature, which is an optional additional layer of verification that the domain owner must go through before a domain can be transferred away from his account. They also support U2F, which allows the use of hardware tokens such as Yubikeys.
Domain protection features such as these are vital if a registrar does not want to be swamped with jacking attempts and the PR disaster of actually losing domains.
I am surprised that Cloudflare has not already followed the fine example of companies such as Dropbox, Github, and Google by supporting U2F. A quick search shows that Cloudflare customers have been publicly asking for this for at least 3 years. When they introduced TOTP 2.5 years ago, they stated that they would support U2F "shortly".
In the context of being a domain registrar, supporting U2F would be even more useful, dramatically reducing the number of domain jacking attempts. Proper support would encourage customers to associate TWO hardware tokens with their account, each stored in a different location. Supporting only one, as AWS have recently done, leaves them wide open to social engineering, with impersonators claiming to have lost their one key.
An even more shocking example is Transferwise, supposedly a cutting-edge star of the "fintech" scene. They use SMS-based codes, a wildly insecure form of OTP. Over a thousand employees and they cannot even implement some sort of app-based TOTP (such as Google Authenticator) to protect their clients' money.