"This seems like it defeats the purpose of 2FA. Am I wrong? Isn't 2FA supposed to work by proving that you own a device for which it was set up on?"
The bug is in the design of 2FA. Sooner or later Google will get rid of GV and I'll just move to another provider to front-end my SMS spam instead of sending it to my phone. The other failure mode is best displayed by my bank not realizing their site is accessible via mobile, so my two factors when customers log in on their phones are the phone people log in with and the code they're sending to the customer's phone, oh wait that's only one factor. Although in the second example the bank wins by security theater.
The bank does offer a phone app that demands access to pretty much everything on my phone presumably for marketing / spam purposes or just being weirdo creeps, so needless to say I won't leave it installed, although I did try it for a short period of time. However the bank phone app sucks so I didn't lose much by uninstalling that creep-app. Also the creep-app doesn't do 2FA and seems to be permanently logged in, so I've downgraded my account access to merely the phone lock screen level of security, which isn't very good.
While 2FA is often phrased as “Something you know and something you have”, I find that misleading. Knowledge is acquired from information, and the way they check what you have is through information alone.
What it really proves is that the telephony system authenticates you as part of their network. That authentication is done by the SIM card, which it is assumed you have unlocked with a password of entropy 13.3 if it's a PIN code with four random digits.
That, and your actual password.
By far the easiest way to get incorrectly identified through the telephony system is to break the PIN code, which requires to have physical access to your SIM card. But if all your secure HTTP cookies and/or your keyrings are only protected by that as well, then yes, your 2FA has a single point of failure. It goes from an arbitrarily strong password and something you have to a 13-bit entropy password and something you have. Or, if like so many you leak PIN code information from your life or the traces you leave on the surface of your phone, just something you have.
"Pick a security picture, now write a security phrase. Please choose three security questions. Now enter a password. Would you like to enable 2FA on your phone?"
My bank's mobile app does not work on rooted phones, because they are concerned for my safety, afraid that some rogue app will get my banking info and steal my money. Well, that's my problem, isn't it?
Do you know how most people with custom ROMs bypass this? They go on XDA and download a patched version from some stranger on the internet, stored on some malware-ridden file hosting service.
2FA means something [only] you know and something [only] you have (the phone number), the 3rd factor is usually something you are (biometric).
So using a password and the SMS on the phone is still 2FA as far as I know.
However, I also consider my home PC to be safe enough that I don't want 2FA on it. Nope, banks apparently don't want to waste money on considering this user story. Or that what about registering multiple tokens/phone numbers. Got a new phone? Just burn the old one, you can't have backup login methods!
Damn. I never thought I'd be happy about my usually behind-the-curve bank, but my bank's app has me type in my user code, password and then identify with my fingerprint. Now, someone could still steal my phone and login to the banks website -- but that'd also require my fingerprint or cracking the very long passphrase, which while it can be done, if that's what I'm up against I've probably got bigger issues than my bank account being raided...
Also the creep-app (...) seems to be permanently logged in
That's terrible. My bank's app is actually really insistent on logging me out; just locking the screen or switching apps will immediately lock it - though it doesn't lose internal state, which is nice.
The bug is in the design of 2FA. Sooner or later Google will get rid of GV and I'll just move to another provider to front-end my SMS spam instead of sending it to my phone. The other failure mode is best displayed by my bank not realizing their site is accessible via mobile, so my two factors when customers log in on their phones are the phone people log in with and the code they're sending to the customer's phone, oh wait that's only one factor. Although in the second example the bank wins by security theater.
The bank does offer a phone app that demands access to pretty much everything on my phone presumably for marketing / spam purposes or just being weirdo creeps, so needless to say I won't leave it installed, although I did try it for a short period of time. However the bank phone app sucks so I didn't lose much by uninstalling that creep-app. Also the creep-app doesn't do 2FA and seems to be permanently logged in, so I've downgraded my account access to merely the phone lock screen level of security, which isn't very good.