Depends on details... I might not be screwed until I need to auth for something, at which point the auth is captured and I'm screwed.
Depends on details... I might not be screwed until I need to auth for something, at which point the auth is captured and I'm screwed.
And you do need to do it from time to time. So it's only 2FA against some threats, not necessarily most important ones for ordinary users.
If what you have (phone) and what you know (authentication) are both stolen, 2FA didn't keep your account secure. But it was still 2FA. They had to steal two things. Same as if it's a user entered OTP code, and you put your password into the phishing site, and then put your OTP code into the phishing site too; 2FA didn't help you, but it was still 2FA.