Keep in mind too that this argument chains - if your 2FA can be disabled with access to your phone/SMS, and your phone account can be updated with an email challenge response (or just a confident voice-call to your carrier's customer service), it's just one extra level of hoop-jumping for your attacker.