On the contrary, single-factor authentication is generally fine (MFA is still better, of course) if the single-factor is an authenticator application or, better yet, a U2F hardware key. If anything in modern web security is theater, it is the password (and SMS MFA but that's because SMS is a joke to takeover).