This is a great lesson on 2FA fundamentals. Picking time-based codes for 2FA is equal to picking something you know twice. That isn't strong 2FA. That is 1FA with an extra step (1.5FA). To make it all the way to 2.0FA, you must pick something you know (password) and a private key (Yubikey, smart card, etc.) that does operations in-situ, that cannot be computed anywhere else, to then match to an expected value on the server. It therefore isn't something you know twice. It is something you know + something you have uniquely generated.

Strong 2FA is holding your cryptocurrency in a multisignature setup instead of an exchange that holds your keys for you and can disregard the 2FA whenever it wants.

The security bottleneck is the one institution that holds all of the responsibility. It cannot be fixed by giving more hoops to authenticate themselves to the one institution