2FA has been broken for a while
You log in from your phone and a verification token is pushed to your phone. That's not 2FA anymore. It just means that the malware needs to be put on your phone rather than your desktop computer.
Token generator key fobs are a bit better because it must be physically stolen and used before the owner deactivates it.