Unless you mean the webserver they use being attacked, but that is just as vulnerable for 2fa. The only difference is the user cannot screw up and use the same credential on multiple websites with 2fa.
Even people that do this incorrectly and reuse passwords, probably also store their passwords in their browser, which is on the same device as their authenticator app. So I would guess by far majority of people are only using something they have twice.
Storing both on one device sounds like a pretty stupid thing to do. Sure, it's convenient, but you are putting a looooot of trust into the assumption that your single device will never be compromised.
Even if someone steals your phone, you should have a passcode. If they know or guess your passcode, well… someone could steal your house/car keys too, and we still carry them around anyway :)
In this scenario, you are assuming that the client is not compromised (since otherwise they would just steal it before you use it) the server is not compromised (otherwise what is the point), you do not have an active mitm (otherwise they could use the token directly instead of replaying).
All that really leaves is you have someone capable of passively eavesdropping a TLS connection (usually much harder to do than active mitm). I suppose someone literally looking over your shoulder or recording you with a hidden camera - but even then they just have to out-race you hitting submit.
Anyways. Not a realistic threat in my mind.
We used to think that
> It helps against an attack that's specifically targeting you
would be sufficient, because, like who cares about little old me? But in the era of API intelligence, setting up a specific agent to target every person seems automatable.
If all that was missing before was a sufficiently-motivated attacker who would learn about you and your patterns, and that couldn't scale because we didn't have enough dedicated bad guys, that seems like it's a bout to change pretty quick.
