Yea a combo is more problemtic, I could see why thats an issue. Most important stuff in my life has 2FA with my phone thankfully. My banking password got breached like 3 years ago and i still didnt change it... nothing ever happened. I am guessing tech companies that could have huge negative influence on your life should have additional security measures in place, like not allowing a login from a different country unless some kinda mobile code is provided or stuff like that. I'm pretty naive with all that tbh.