Yup. The target for MFA is not perfect security, but security better than passwords alone — the bar is quite low to start with. And all of the above techniques offer that to varying degrees.
I use strong passwords on all sensitive accounts, stored in a local password manager, with an authenticator app for those that don't accept my Fido2 Yubkey. Seems good enough to me.
Even then the external services will still require first and second factors of authentication. If your workstation is compromised on an ongoing basis, then nothing matters. If its an one-time even, 2FA will protect the external services still.
Note that responsible sites do variations on IP / location fixation to reduce the value of exfiltrated session cookies and, of course, they're only valid for as long as you go between verifications. One really nice thing about FIDO is that it affords a low-pain “tap the button to confirm it's you” verification instead of a full password challenge.
Yes, which is a different threat than what was under discussion. Don't argue that we don't need seatbelts because they don't help when the driver is a kidnapper.
This is correct, which is why I am a big fan of FIDO U2F software like https://Krypt.co . This requires your phone which is essentially a second workstation to authenticate. So now you need to exploit two workstations.
I use strong passwords on all sensitive accounts, stored in a local password manager, with an authenticator app for those that don't accept my Fido2 Yubkey. Seems good enough to me.