If I have a 20+ character password for my exchange, why should I 2fa if all it takes is for the software from Authy to have a bad update and lock me out of my account?
I recovered my coinbase account after getting a new phone
Because keyloggers
keylogger doesn't care how long your password is
use Google Authenticator btw, it's linked to your device so even if your messages are re-directed (this happened: https://medium.com/@CodyBrown/how-to-lose-8k-worth-of-bitcoin-in-15-minutes-with-verizon-and-coinbase-com-ba75fb8d0bac), the hacker would actually HAVE to your physical phone to continue
database w/ password can be compromised. keyloggers. etc.