2FA most commonly thwarts server-side compromised passwords. An API can leak credentials and an attacker still can’t access the account without the 2FA app, regardless of which app that is. The threat vector it does open you up to are a) a compromised device or b) someone with access to your master password, secret key and email account. Those are both much harder to do and you’re probably screwed in either case unless you use a ubikey or similar device.
How is it possible to have compromised password but not compromised the second factor? I don't understand the theory of leaking not enough factors. What is stopping webmasters from using 100FA?
> How is it possible to have compromised password but not compromised the second factor?
Server-side (assuming weak password storage or weak in-transit encryption) or phishing (more advanced phishers may get the codes too but only single instance of the code, not the base key).
> What is stopping webmasters from using 100FA?
The users would hunt them down and beat them mercilessly?
