The headline is the usual clickbait, but you apparently don’t understand what’s going on if you claim it’s not breaking a specific way of 2factAuth.
The point of 2fA is that someone who has your pw needs something you have, i.e. your phone.
Since this is not needed any more, this 2fA fails. It is broken. It does not work as intended. It is dysfunctional. It stopped being secure. It is pushing up the daisies. It is a late security measure. It is a gonner.
Also, Signal, which you singled out for shaming does require a paraphrase. And you can set a time limit it keeps this passphrase in memory. It encrypts even your SMS database locally, just in case someone has your phone.
Just FTR, my bank uses this type of 2fa, and I use Signal’s encryption as an additional local layer. Which is quite useless in case of this specific attack, but protects me if someone tries to get my friggin “mTAN” by just nicking my phone.
