> when nearly all hacks have nothing to do with breaking credentials.
This seems like a big claim to make. My understanding is that by far the most common reason accounts are compromised is password reuse combined with another site being compromised.
Sure, I guess that is a wrong assumption on my part.
Perhaps a better way to word it, is: two factor auth only seems to protect you if all the other parts of site authentication are solid, which rarely seems to be true.
Well of course if you exclude all of the attacks that didn't happen because 2fa was enabled, then ya, 2fa won't protect you against the ones that still happen. Lets compare this to.... car safety. Ya, if you get hit head on by an 18-wheeler on the highway, your seatbelt is only going to help you as much as the rest of the safety of the car. But in pretty much every other situation, I would be glad to be wearing my seatbelt.
It's uncharitable to focus on the small slice of situations that something doesn't work in order to deem it useless.
