Some providers (looking at you, Intuit) don't seem to understand TWO factor authentication and will allow someone to bypass your password if they can intercept the SMS or email, and treat it as a normal login.