Long story, short, bitfinex uses a password authentication method, with optional 2FA, but we cannot guarantee your security in regards to YOUR phone, YOUR email address, and YOUR laptop. Basically, the complaint is, well, my phone and my laptop got hacked, how could they access my bitfinex account? I would say that if you were compromised in 2 other areas...your security procedures probably need some work.
I believe the actual complaint was that if your email account is compromised from
one device, that's pretty much game over - a sufficiently motivated attacker can have a password reset sent to that email address, and have a conversation with your support people to have the 2FA turned off. So the security of your Bitfinex account reduces to the security of your email account, with the OTP device serving mostly as a small additional roadblock to make the process slightly inconvenient, rather than a true additional 'factor'.
Not that I can really complain... my phone isn't secure enough to really count as an extra factor regardless of your implementation of 2FA... it's just a harder single factor to compromise given I'd have to physically lose it rather than getting myself electronically/remotely pwned.