TOTP is certinally better than none.
CCP don’t even S/MIME sign their emails, in fact we had an issue about this here Phishing emails lately?
Also they don’t allow us to register an OpenPGP public key so our account related emails are encrypted to our inbox (where we would hold the private key offline, thus mitigating our compromised email from compromising our other accounts registered to that email. Means nobody could read any reset emails. We could also then digitally sign our emails to CCP on account related issues, even if we had to use another email account, the digitally signed email would prove we control the private key).