Looks like a textbook case of the Dunning–Kruger effect to me.

Two-Factor Authentication (TFA) is a security process that requires users to provide two different forms of identification to access an account or system. Typically, it involves something the user knows (like a password) and something they have (like a mobile device to receive a code).

If someone manages to obtain your credentials via, say, a data breach, then TFA ensures that they also have access to a previously registered device or phone number.

It's true that if said application is on your phone, then your risk factor does indeed go up and you need to ensure that your device passcode/password is protected and secure.

Going forward, iOS 18 will allow you to enable biometric protection on a per application basis. So said individual would need to steal your phone, know the passcode, and then be able to do biometric authentication before launching the banking app as well.

Be sure to protect your email application that way as well. It's just as critical to protect email communications as it is financial applications.

Is TFA perfect? Nope. Is it better that allowing account access from any device and with nothing more that your email address and your "secret123" password?

Yep.