Well, if a person can't take responsibility for a private key then I don't know. However, nobody can sign anything without your key. 2fa is useless if a site, or database gets compromised. I think 2fa is obsolete since 2015 latest since web3 signers became a thing around 2018 (metamask etc). Nostr authentication is no different.