2FA auth is fundamentally harder to crack due to computational complexities and also physical constrains and it is definitely better than just a plain password. Also, 2FA doesn't add extra inconvenience when done the right way - see google's 2FA.
I am not quite sure what to make out of this article but here is a simple scenario which I believe it puts everything in a bit of perspective.
Say that I somehow loose my password. Without 2FA that's it - the attacker is in. With 2FA the attacker will have to do more work. I don't care how complex is to crack to token. The point is that just because you know a secret it doesn't give you all other secrets.
Google's 2FA is kinda broken though, in that it generates permanent 'per-app' passwords that aren't actually limited to one app, they can be reused as often as you (or a data thief) wants. That always bugged me...
The author missed the obvious and common attack scenario where an attacker gains access to an email account associated with a vendor account, uses the email account to reset the vendor password, and logs in. Two factor effectively prevents this attack.
Third parties (like Google Authenticator) possessing the 2FA codes is not a problem because they don't possess the passwords and are generally "trustworthy." Losing access to the 2FA hardware isn't such a problem on platforms like Heroku that assign account recovery codes. Just PGP encrypt them and call it a day.
2FA is a valuable last line of defense against a targeted attack.
For me what this misses is the reduced impact of a single session compromise.
If an attacker gets your password, that account is compromised until you change your password (could be weeks months or never).
with decently configured 2FA, the attacker gets a single session. If you have decent session termination/logout and restrictions on sensitive actions (like disabling 2FA) such that they require re-authentication (And re-entering another 2FA code), it can reduce the impact of compromise by quite a bit.
I am not quite sure what to make out of this article but here is a simple scenario which I believe it puts everything in a bit of perspective.
Say that I somehow loose my password. Without 2FA that's it - the attacker is in. With 2FA the attacker will have to do more work. I don't care how complex is to crack to token. The point is that just because you know a secret it doesn't give you all other secrets.