Gregory's Server
But basically what swift is describing is both:
that a lot of services let you use your phone as a full login method if everything else fails without additional auth by default (example Gmail. Pretend you forgot your password and try it)
Also your password may leak, be stolen or reused from somewhere compromised and you expect the 2fa to protect against that (example bank)
Plus like your example that verifies email, if they get into your email because it allows single factor, isn't that the same thing?