Two-step authentication was not always required in the past for logging into MyUSPTO. With the issue of not being able to retrieve code emails today, it seems smart for the Office to eliminate any requirement for two-step authentication at the MyUSPTO login stage.
Instead, require the two-step authentication when the user attempts to access a secure system for the first time. For example, the first time someone clicks on the Private PAIR access link. Then the secure login should be active for all secure systems.