[chimeracoder]

> Afaiu 2fa primarily protects from password leaks on the part of the service and coincidentally some other kinds of leaks such as keylogging. Not so much from data theft on the user's side.

2FA is meant to protect primarily against phishing. It happens to protect against some other attacks as well, but phishing is the primary motivation.

That's why physical U2F devices are considered the gold standard of authentication today - it's possible to phish a TOTP code, but it's very difficult to phish a U2F signature, and impossible to do so through a scalable, automated attack.