Not the point ....
I *think* the nice man meant to ensure that all services that you use online have 2FA enabled in addition to using your email address.
So any attempt to log into a service using your email address and correct password triggers a 2FA call (say SMS, but any number of authentication services are available).
I am well aware that SMS has been shown to be less than secure, but for most people it's better than nothing (as the above bookkeeper would have found).
Biting the hand that feeds IT
