In both the original article and @sevenlevelmuddle’s old account reset one authentication factor had been broken through losing or forgetting the password.
I don't agree. The first factor has not been 'broken', it has been dismissed by the provider in the interests of providing continued service whilst minimising customer support overheads. Security is then reduced to single factor, and an incredibly weak factor at that - much weaker than a simple password requirement.
A far more useful 'second factor', for account recovery, is a letter sent in the post to the home address of the account. Some of the more serious UK financial institutions, as well as HMRC, do so. The delay so caused is a further disincentive against any attempt to abuse it. But can you imagine Google, or the money-grabbing mainstream banks, really wanting the bother of communicating with their customers that way?
It is worth stressing that, despite screaming headlines in newspapers, password 'hacking' is very, very rare. Most passwords are 'stolen' either by hacking the provider, or phishing techniques.