[eastern]

The casual thief case is trivial. Surely, clef's goal includes protection against a somewhat more sophisticated adversary who is targeting you, specifically.

Someone gets some malware on to the phone and gets the run of it. Records the pin, later steals the phone, or is able to replicate the entire device.

This could be guarded against if the pin changed every time and was delivered through an independent channel, which is what 2FA if all about. A complete, undetected compromise of a single device or a single information channel should not be able to defeat 2FA. That doesn't appear to be the case here.

[jakobe]

But 2FA doesn't protect you from even a single compromised device. If the computer you use to access the service is compromised, an attacker can simply intercept your next login attempt. The only difference is that in the case of CLEF the vulnerable part is your mobile, not your laptop.