You don't have to do 2FA, but there's liability in being vulnerable to credential-stuffing, and 2FA is one of many ways to mitigate that.