However, 2fa would not have prevented the problem. The problem is twofold -- 1) account recovery (using email, SMS, or anything other than a secret key) is an effective attack vector. Especially SMS. 2) a human who will change the account recovery settings (in my case, FM changing the account recovery email address).
Hmm you think they would have bypassed your 2fa as well? I wonder if FM can comment on that - it would be concerning. The "sms backdoor" is the same with gmail, etc. unless you explicitly disable it.
Our account recovery process won't allow you through at all if you lose your password, and your 2FA, and your recovery key, then you're not getting that account back.
However, 2fa would not have prevented the problem. The problem is twofold -- 1) account recovery (using email, SMS, or anything other than a secret key) is an effective attack vector. Especially SMS. 2) a human who will change the account recovery settings (in my case, FM changing the account recovery email address).