When I sign in with my Apple ID on Search Ads in Safari on my MacBook, it shows the Two-Factor Authentciation form.
However, the authentication code is not only send to my other devices, but also shown on the same MacBook.
I guess this is a major security flaw.
Only if the other person has your MacBook AND access to the password for your MacBook AND has the password to your ITC / Apple ID account, and if that is the case, the flaw is not with Apple, it is with you.
Ultimately, I think the main benefit of 2FA is to prevent people signing into your account from unapproved devices / locations, so even if some random person has your Apple ID, they also need access to your device. Even if they do, any other device(s) you have will be alerted to the access request and gives you plenty of opportunity to fix the problem.
