Maybe it’s more like 1.5-factor authentication: not as weak as a password but not as strong as a TOTP code generated on a separate device. Regardless of the technicalities, two-step verification ...