If you don't understand the different types of 2FA available, I don't think you're really in a position to be making blanket statements about if people should be using it or not.

"The application" is an open standard called TOTP, which doesn't require any specific application. I just set up 2FA for my personal GitHub account using a TOTP app on my Pebble watch. The actual crypto for the 2FA is done locally on the watch, no other device can spoof it, and GitHub get exactly zero feedback or information from this - other than the 2FA code that I type, of course.

There's other ways to do 2FA - U2F is an upcoming standard and people have been using dongle-generated codes from RSA for years.

Before making pronouncements that go against current best practices for end users, you really need to get a much better understanding of what you're talking about. Saying nonsense in a confidence voice is enough to convince people that your terrible advice is worth following, and could result in them having worse information security as a result.

> What on earth are you on about?

You can have the most secure/hardened email server on the planet but if I can change your mx record at your dns provider it will do you no good. And there are multiple attacks against DNS that don't require me to target your provider even (e.g. https://en.wikipedia.org/wiki/DNS_spoofing)

And once all your emails are being sent to me, I can own every account you've signed up for using that email (through reset password). And currently the only reliable defence against that is 2FA.