We're taught that 2FA/MFA is the way to go. We're taught that it is secure. In fact, I use 2FA on my sites and I use 2FA on sites where I consider my login to be valuable information. (I use 2FA here on Linux.org, for example.)
But, not only do you need to keep that secure, you need to keep your recovery keys secure. Anyone with the password and recovery keys can log in without actually having that second factor.
This is going to be true even if we had card readers, encrypted USB drives, etc... Those can be cloned.
In my case, I keep everything securely locked up to the best of my ability. While I don't collect much personal data, people do leave usernames and email addresses in my trust. So, keeping that safe is a priority.
That a giant company like this is having trouble doing so just shows us that there's always a 'weakest point'.