2FA is really not good for wallet security as all that 2FA does is rely on a 'trusted' third party to only give someone access when they can enter a code that is delivered to a device. This essentially means that you must give up access to the private keys to a third party, which in itself is a bad security practice.
This is a very good summation of the issue. If you use a wallet that is not completely and solely under your control, you're gonna have a bad time. If your Bitcoin keys are on another service - if signing transactions happens anywhere else but on your computer - then you are vulnerable to attack.
Internet two-factor authentication schemes prevent simple password-stealing attacks, but assume a secure unalterable communication channel, which is a bad assumption. SMS codes, challenge-response, time-based one-time passwords, yubikey, all can be proxied by an attacker and instantly replayed to the actual service.
Secure communications require encrypted and signed channels, such as done through a Java smart card provided by the internet service, which relies on the device also not being security-degraded by secret arrangement with a three-letter agency.
Look at blockchain.info wallets - in theory secure, but in practice any man-in-the-middle (such as a Tor exit node, your VPN company, hacked service home page with injection, or government tapping/redirecting the connection) or even man-on-the-side (with the poor security of https encryption) can intercept your communication with the service and steal your credentials, secrets, and Bitcoins. Since the something-you-have also goes over the wire, this provides very little security to an attacker in these positions.
With Bitcoin, you must be your own bank. You cannot ask for a refund when you are defrauded.
Real personal two-factor relies on
something you have along with
something you know. Something you know is your password to the encrypted wallet. Something you have is your local computer with the Bitcoin wallet. If someone else doesn't have both of these, they can't send Bitcoins.
Another layer of something-you-have/something-you-know can be a two-layered encryption scheme for accessing the local device. An example would be a
smart card OS drive encryption in combination with a password-based hardware drive encryption.
A further layer would be to use a
TPM module for OS full disk encryption, this requires something you know (password to unlock TPM) and something you have (motherboard/system TPM) to access the drive. The drive separated from the security device is also useless.
If you want another layer of security, lock every Bitcoin wallet storage device or computer in a safe. Then to access it you need something you have (a safe, a key) and something you know (a combination).
