it doesn't mean you can stop paying attention to where you're going just because you have 2FA enabled.

Receiving your code via SMS is probably the worst out of the 2FA options out there (still better than nothing at all). But, if you're concerned about someone being able to futz with SS7 and/or sim cards...then you gotta be more concerned about an active attacker intercepting the 2FA code when you enter it into a dirty website, cuz that's easier to pull off.

Example, let's say you fell for one of these "hey are you available" phishing emails and after some back and forth, I've convinced you to click on a link in an email which takes you to my phishing site. And I am waiting. You enter in your credentials into my phishing site...I pass that info along to the real site...then my phishing site tells you to "please enter in your six digit code or accept your push notification". So, you pass your code to me and I enter it into the real site that's asking for your 2FA code (and yes these codes self destruct, but I'm actively attacking you) or better yet, I just wait for you to accept your push notification.

Now, if someone is on their job, there's probably an automated process that sees that the push notification was accepted on a device with an IP address that is in a totally different geo-location than the IP address that's logging into the legitimate website and blocks the logon attempt....more likely, that process is just monitoring and they'll know something happened after the fact.

Using something like a yubikey (U2F) would probably be the more secure 2FA solution, since the device has to be accessible by the browser of whomever is triggering the authentication. As an attacker, getting you to press your yubikey attached to your computer does nothing for me....for now...

~~~~~~~~
A bad Samaritan averaging above average men (c) DOOM