A lot of exchanges are already doing this, and this should have been done way earlier. I'm fairly sure that Binance has been doing this kind of thing for at least a year, since you can't withdraw if I remember correctly until you add a 2FA method.

2FA does not guarantee security, but at least now there is a much less likely probability that hacks will occur into user accounts.

Also, interesting that Kraken haven't added SMS/phone calls as a means of 2fa verification. Perhaps setting that up would present too much of a cost for them? I'm not sure, but there are certainly people who would prefer SMS over authentication apps.