This makes it far more
secure than merely using either key alone, as, even if an attacker guesses or steals your password for a 2FA protected
page, he also needs to have your mobile phone, token
card, fingerprint, or whatever its «2nd factor» key is, in order to
get access to your account.
For instance, Opera Reborn users will
get notifications if they're typing in sensitive information such as a credit
card number or a password into a
page that's not HTTPS
secured.