Worse for us
As far as I can figure out, Paypal's 2FA offering for the UK is a code sent by SMS. If you don't have your phone to hand, or can't be arsed to look at it, you can bypass the whole process by answering two security questions. It's always the same two questions. So, one person peering over your shoulder, a keylogger or just someone who's able to do some basic research to find your mum's maiden name and your 2FA becomes sweet FA.