" ... The idea being that if someone learns of or guesses your password, they also need to get something else off you, like your unlocked phone or hardware key. "
I'm not so sure it needs to be unlocked - "7 Methods to Hack/Bypass Android lock screen Pin/Pattern/Password" [ drphone dot wondershare dot com ]
If a stolen pin-locked phone can be unlocked then having 2FA as Authenticator on the same phone is worse than useless. Also if the mail account used on that phone can be used for SMS authentification, ouch.
I do use Authenticator but on an older offline phone (no sim, bt and wifi turned off always) used for nothing else. Also, my regular Android phone has a dedicated google email account that isn't used for any other purpose.
Which all means a lot of inconvenience, e.g., no bank balance checks and transfers on the road. Possible for me because I grew up when that wasn't possible anyway.
Biting the hand that feeds IT
