The author is correct to attack Google’s authentication protocol, but the password reset procedure is the gaping security hole. The author is focusing on the distinction between “hard” tokens vs ”soft” tokens from NIST 800-63 Level 4. But in the Grant Blakeman case, the first factor (password) was never compromised. It was the Google password reset procedure that sidestepped all the security of the two factors. All you need is to answer easy trivia questions and to text a code to a phone number in order to take over a gmail account.
I understand how sending an SMS text is 2-step verification, however this article then tries to expand this to include smartphone apps like Google Authenticator, which is just wrong.
The argument they use is that Google Authenticator is something-you-know auth because you "know" the token, however from my understanding this isn't any different from any other Synchronous 2FA.
2FA, whether Sync, Async or Challenge response require your device to store a password, OTP or Key Pair.