That's crazy, you can easily send special user agent strings and choose mobile URLs; therefore being able to totally avoid 2FA. Stupid!