I've been asking what the point of locking accounts permanently for 2FA failures is as it seems quite ridiculous.
I agree, considering 2FA token is valid for 20 seconds (as far as I know).. or they could increase the account locking threshold to 50 or something if all they want is prevent brute force attacks, I doubt anyone would get through in 50 attempts on a 7 digit code...