Two factor is magnitudes better than password only, but it's not foolproof.
Security is only as strong as the weakest link. CloudFlare was hacked recently because the attacker was able to redirect voicemail to another account, then use the two-factor backup recovery phone option to take control of Google Authenticator.
You can no longer recover a Google account via a voicemail message, and AT&T now allows you to lock changes to your account with a passcode. And, the people that committed this particular attack are now in jail awaiting trial.
Security is only as strong as the weakest link. CloudFlare was hacked recently because the attacker was able to redirect voicemail to another account, then use the two-factor backup recovery phone option to take control of Google Authenticator.
https://blog.cloudflare.com/the-four-critical-security-flaws...