Typically, you can also reset password via email, so it's really only one factor. Compromised email = compromised server.