I don't get it. Only 2 FA is needed for transactions. So if someone hacks in to an account he can withdraw the coins with just 2 passwords, right?
What about the people who run the service? This is where things like trezor will solve, and 2FA is a just a false sense of security for that attack.