2FA is now (very) widely understood, but still a lot of people see it as a "faff".
A scam caller phoned me today, there was "an order in my name", for £thousands 💶 . Which of course I can't see nor cancel - because it never existed.
"Oh is that not for you sir? oh my. Well I can't cancel it just like that so I'm afraid you will be charged. Oh you can't see it, I forgot. Well if you like then I can cancel it if l get an OTP message on your phone, would you like me to have that sent to you?"
Guff, right? Who falls for this.
The point is not whether I fell for it or not (which of course I didn't). The point is that the OTP could only be triggered by them if they already had my password.
Ergo 2FA saved my bacon.