Sign in + SMS code = 2 factors. That's what they think.

A strong password and possession of the hardware are the most effective security measures. Everything else is marketing hype trying to convince people to buy unnecessary "security" gizmos.

You make a good observation about the vulnerabilities of servers. Hackers are aiming at the source, not our individual devices.