You don't actually need MFA. This whole thing came about because people reuse passwords between websites and websites have their databases hacked all the time so the same password can be used to log in on other sites.

2FA codes solve that because you can't reuse them between websites so one website getting hacked doesn't expose all of them.

SMS 2fac isn't any better in this regard, since you typically receive the SMS on the same device that stores your passwords.