I have 2FA enabled but not using SMS but using OATH Toolkit. The keys are stored in a TrueCrypt file system protected by a password locally. I think your article missed one big point is that what if Facebook/Gmail/... gave those things without even asking the person.