Seems this guy didn't enable 2FA until after the attack.
Right now, both he and Mark Karpeles could be telling the truth if the attacker disabled 2fa, then reenabled it after he was done.
2FA on withdrawal is pointless if it can be disabled after login.
My understanding is that once Yubikey is enabled on MtGox for withdrawals it can't be disabled (by the user), hence the multi-week delay for lost/broken Yubikeys while account ownerwhip is re-verified and MtGox enables a replacement Yubikey.
It can be disabled with the OTP code.