[enraged_camel]

>>"Require 2FA for everybody, full stop" would do the trick.

How do you require 2FA for the Find My iPhone application when the only context for using that application is one in which your phone is lost?

[aganders3]

Most 2FA schemes give you some backup codes. I'm sure people use Find My iPhone differently, but it's not unreasonable to suspect them to be used rarely. Once your device is back in-hand you could generate a few new backup codes.