Thanks for giving us the benefit of your wisdom Jamey.

The fact is attackers can, and do gain access by either or both. It happens all the time, actually. Hence the reason folk are complaining.

One of its main selling points, is so you can use the second access method if you find you lost access to the first one, by say losing a password, or worse, having it reset with no way of knowing who or why did the reset.

Its not like having physical keys, can't compare, unfortunately.

So the odds are either or both, which is x3 ways to get in vs just one, with one lock, one key.

With MFA, you are literally creating a network that can be used to attack all entry points from all angles.

Are you not familiar with Metcalfe's law?