How would 2FA help here, you'd still create the compromised OAuth credential with 2FA?