Originally Posted by
josephstern
Password maybe, but not the code from Authy. Which defeats the point of two-factor, assuming you have the password and access to a browser that has been logged in.
Honestly, if someone has your password AND access to a browser instance that has been logged in, they already have FULL access to everything you have, including all the account passwords.
At that point, disabling your two-factor authentication is not important to your attacker.