No... the computer is a second factor just as much as a phone. Something you know (password) + something you have (computer) = MFA

If they already have your phone, you're already pwned.

>If they already have your phone, you're already pwned.

No, that's not what GP means. If the attacker manages to get malware on the Mac, for example by exploiting a browser 0day, then the attacker can simply circumvent the 2FA by making the Mac fetch the 2FA code. The user won't notice it.

If the attacker manages to get malware on the mac, they can also wait for you to do a login, and steal your 2fa code as you enter it.

Or just steal your session tokens. Not all apps are secure enough to prevent session roaming.

Or just remote drive your session. Token exfiltration isn't required if you can do XSS or say script injection via browser extensions (and exfiltration is more likely to hit anomaly/fraud detection)

Same could be said of the phone, right? A zero day on the phone would circumvent the 2FA.

Really, the SMS part is the actual weak link in the chain. Easier to hijack SMS than own a computer or phone.

> Easier to hijack SMS than own a computer or phone.

That depends on the country, in Germany it's way more difficult.

Why would you say that? All it takes is one telco employee taking a bribe or screwing up some configuration or...

Why?