The commonly used 2FA (30-second 6-digit codes) is basically just a random password that gets hashed with a time value to produce your code. So the advantage is that the password itself is never sent over the internet but it can still be leaked from the server or from your device via some malware or from backups.