I think there have been so many password breaches that most sites feel that passwords alone are insufficient for security purposes. Most users reuse passwords and if sites don't enforce 2FA they open themselves up to batch account compromises via script kiddies trying all combos found in the username/password dumps found on various haxor forums.
This is especially true for sites that provide email accounts for users on sites like yahoo which are the 2FA for many other sites a user has accounts on. Gaining access to a yahoo user's email account could allow someone to reset all their passwords on any 3rd account they used that email address for when they signed up.
This is especially true for sites that provide email accounts for users on sites like yahoo which are the 2FA for many other sites a user has accounts on. Gaining access to a yahoo user's email account could allow someone to reset all their passwords on any 3rd account they used that email address for when they signed up.