Not the point ....
I *think* the nice man meant to ensure that all services that you use online have 2FA enabled in addition to using your email address.
So any attempt to log into a service using your email address and correct password triggers a 2FA call (say SMS, but any number of authentication services are available).
I am well aware that SMS has been shown to be less than secure, but for most people it's better than nothing (as the above bookkeeper would have found).